[TSCM-L] Security? Huh!

[InfoSec News <isn () c4i org>]

[I saw this on another list that I am on (and recommend) and I
thought you all might be interested in reading this. -  WK]


---------- Forwarded message ----------
Date: Sat, 16 Feb 2002 01:03:36 -0500
From: Steve Uhrig <steve () swssec com>
To: tscm-l () yahoogroups com
Subject: [TSCM-L] Security? Huh!

This is something I posted to a Minox list when we got off on a security 
tangent. LX = the model of Minox camera I carry always. 

If anyone attempts to do penetration studies like this, make CERTAIN
the person who hired you is instantly available by telephone, AND you
carry the original of a dated and signed authorization specifically
detailing why you are there and that you are authorized to do anything
or possess anything in fulfillment of your contract. You do not want
to spend a day in the local lockup while you wait for your lawyer to
track down your client. I can promise you no one else will care nor
will the system care in the slightest about contacting your client or
taking care of medical needs or anything like that.

====================

I did a penetration study of a government facility within the last
several days (no clues when or where).

They knew it was going down on that day, but not by whom. I had not
been in the building in months.

They made a big show of checking my boot heels for the metal taps
which of course tripped the metal detector, my largish belt buckle,
X-rayed my aluminum cane, completely missed my black LX as I wrapped
it in what looked like a well used handkerchief in their little wicker
basket and none of them would lower themselves to inspect it. That LX
could have been my Case pocket knife or, God forbid, a box cutter or
nail file.

I had an empty leather holster for a small revolver plainly visible on
my belt. They didn't make a single comment on it. If I see an empty
holster on someone, I damn well want to know where the weapon is (and
in my opinion the safest place for it generally is in the holster). I
was going to tell them I had left it in my truck to avoid problems and
see if they would admit they had no security in the parking garage nor
ID of particular cars. Neither did anyone think to question my carry
permit, none of which are valid in DC.

After passing these heavy layers of security without incident, I went
into the men's room on the first floor and lowered down through the
window some string I had previously wrapped around my upper forearm. I
had a confederate outside the building tie a pistol-shaped TV remote
control to the line and I pulled it back up into the men's room.  
Previously I had placed a paper label on the remote saying 'this could
have been a weapon'. I left it on the CSO's (Cognizant Security
Officer's) desk.

And I'm not even clever, neither was I slipping Fatimah a hundred
bucks to conceal something for me.

As an experiment, I did shaving cream several video cameras along my
route, and in the hour or so I was in the building, no one bothered to
inspect them. The shaving cream was very visible and the facility was
in full swing. I dragged a trash can over and stood on it to shaving
cream the one camera. Later in my after action report, the cameras
merely had been written up to be checked the next day for proper
operation by the technicians. I carried the can of shaving cream in my
briefcase, and no one questioned that, which is suspicious considering
I have a full beard.

If I had really been trying to impress the place, I would have read
the frequencies of their small area coverage (radio) repeater, and
programmed a potent mobile radio in my van to jam coverage of their
commo system. I am positive they had no backup, and the only frequency
they had other than the repeater was talkaround on the repeater
output, and in that building talkaround had no range. I also could
have put out a decoy call of some sort and diverted the majority of
security to the other end of the facility. I knew it would work and
frankly it was not necessary to prove it.

The door to the telephone closet was unlocked. I walked in and stole
the SMDR report from the printer. I could, in seconds, have disabled
all internal and external phone communications into and out of the
facility.  With a bit more effort I could have jammed their cell
phones.

It's all eyewash. Security is nonexistent. It's a bank vault door on a
grass hut.

Although I am not willing to do it as a pure experiment to prove a
point, I am virtually certain I could arrange to gain access to a
handgun inside the secured area of any public airport in the country.

Federalizing security is a BIG mistake. Name one thing the government
does properly and efficiently. There may be a few things where they
are reasonably effective, like Secret Service dignitary protection,
but certainly not efficient. Pay the contractors so they can afford to
hire decent people, rework procurement so 250,000 hour a year
contracts are not won and lost on a nickel an hour, mandate some
training standards, equipment standards, and work out something like
bonuses to the officers who have the minimum number of sick days in a
quarter or a year, a substantial cash award to the shift with the
lowest vehicle expenses. give the Captain on each shift a bunch of
signed $50 checks he could hand out at his discretion to officers
showing some pride in their appearance, attentiveness to their work
and courtesy to visitors, etc. I could write a program like this on
contract, we'd have reasonable security and it would be FAR cheaper
than the federal government could pull it off.

I could go on and on. But you don't want to hear it.

Steve  

*******************************************************************
Steve Uhrig, SWS Security, Maryland (USA)
Mfrs of electronic surveillance equip
mailto:Steve () swssec com  website http://www.swssec.com
tel +1+410-879-4035, fax +1+410-836-1190
"In God we trust, all others we monitor"
*******************************************************************



========================================================
         TSCM-L Technical Security Mailing List
    "In a multitude of counselors there is strength"

     To subscribe to the TSCM-L mailing list visit:
           http://www.yahoogroups.com/community/TSCM-L

 It is by caffeine alone I set my mind in motion.
 It is by the juice of Star Bucks that thoughts acquire speed,
 the hands acquire shaking, the shaking is a warning.
 It is by caffeine alone I set my mind in motion.
=================================================== TSKS 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.