Harmful Security

I’m in line at the guard post. The lady at the front desk is in her 50s. She speaks German on the phone, then English to the person in front of me. She then asks for my ID in French. I glance around the room. Security guards are keeping the entrance and the exit. Outside the bunker, a gate is also heavily guarded by employees who filter out the small amount of cars allowed to go through.

– Who are you here to see?
– Joseph Leblanc (name changed) from the flight performance department.
– Let me call him in. Please have a seat until he comes to pick you up.

Outside, people pass through one-way gates, using electronic badges to go through. The gates only leave room for one person at a time. Even if they tried, security officers carefully watch what comes in and out. One message is clear: security at Airbus is not taken lightly.

Today is July 1st, 2006 in Toulouse, Southern France. Joseph arrives, smiles and greets me as we shake hands. He then goes to the front-desk, signs a bunch of forms and I trade my ID for a temporary badge.

The M01 building is on the left. It’s shaped like an eight figure. Joseph uses his badge to open the front doors. We take the elevator to the 3rd floor. I get a bunch of forms letting me know that I’m forbidden to carry any USB key or external storage device from outside the premices. I cannot bring in my own laptop and cannot bring home anything from Airbus. Those caught with sensible data will face suspension.

I arrive at my desk and turn on my desktop computer, excited to discover what hardware I was provided.

Crap, it’s at least 5 years old. I sigh and as I greet my new teammates, I notice something intriguing: some keyboards have sticky notes next to them. It appears to be some sort of serial number for each computer…

Back at my desk, I am asked to enter my first password. Not just any password. Ten chars minimum, with a required mix of numbers, letters, uppercase and special characters. It takes me a good minute to think of a solid password I can remember. Done. I then try to install Visual Studio. No admin privileges. “Oh you can’t install anything on your machine, We have to issue a ticket for that.” We do. 2 hours later, some guy from an the outsourcing company remote-desktops to my machine, opens up the network folder and installs Visual Studio. 1 hour of installation passes by.

I go on the internet and start browsing developper forums, but most of the time I am greeted with a “Forbidden Site” intranet page. With time, I realize that the blacklist of forbidden URLs is huge. I am told that “it’s a security measure for everyone, to ensure that noone downloads a virus.”

As the days go by, I notice that people regularly change the serial numbers on their stickers… And within just a few weeks, I am greeted by the system for a new password. Already!? Yes, passwords change very frequently here. Security Measure. When working on things as sensible as the upcoming A-380 airplane flight data, a lot of precaution is taken. I talk with someone about using a rotation number, but they apparently received a security warning regarding that behaviour.

It takes me 2 minutes to create and memorize a new password. Deep inside, I actually have no desire to memorize it, knowing that within a few weeks it will already be obsolete. As a result, I often mismatch it with my first password. With time, I finally manage to forget the first one and remember the second one. And then before I knew it, it was back: “Change password.”

No, I don’t want to memorize yet another password you stupid fat-bordered dialog. Luckily, there’s no harm in me carrying the password on me. I take a pen and write down a random password on a sticky note, which I then put in my wallet. The process quickly becomes fastidious. I am constantly taking it in and out of my wallet… One day, taken by other thoughts, I put the paper back directly in my pocket, outside its protective wallet. The washer seizes the opportunity and destroys the note before I can realize it.

The next day, I’m of course unable to find the yellow piece of paper. It’s OK I’m pretty smart I managed to remember it. “Account locked”. Guess not. Time to talk to my superior.

Joseph: “Aie, that’s not good… OK let’s call IT support and see if they can reset your password”.

We call in. I explain my situation and indicate that I find all the security measures a bit extreme.

I receive a sermon on how critical and sensible all the data is, as well as why all the security measures in place are so important and shouldn’t be taken for granted. The guy is clearly in a bad mood. Either he’s just really French, or I’m not the first one having password issues. He finally resets my password. I get back to my computer, hoping he will choke on a croissant the next breakfast.

I attempt to log on. And there it was again, smiling at me like the clown who never dies in horror movies: “Change password”.

Sorry, but I’m done. I take a sticky note, write down a new random password, and put the sticky note under my keyboard. Another serial number. Guilt and remorse start kicking in. I kick it right back in the face through idiotic self-justification: “who cares anyways, it’s always my team in that open space… everyone does it… it’s ridiculous, they asked for it…”

And there I was, creating yet another flaw in a system designed to be so secure. The security’s absurd rigidity had become its biggest vulnerability.  It was just a start, as I couldn’t work properly with so many websites blocked. I didn’t feel protected, I felt in jail and compelled to get out.

7 years later, I have become a security software engineer. I look back at those times and regret my irresponsible behaviour. I have empathy for the IT guy who was doing his best to educate the employees about the importance of security. Having strong passwords, changing them often, enforcing strong security policies, mastering what is done by the users, etc. are all somehow necessary evils. And yet, having personally seen so many sticky-note passwords around me, I cannot wave away the thought: Creating the most secure system without focusing on its users is like looking for the strongest ciment for a house built on San Andreas Fault.

Bypass wifi time limits

I’m currently sitting in terminal 5 of the heathrow airport finishing a blueberry muffin while waiting for my corresponding flight back home once again, as I want to reconnect to the digital world, I am greeted with a 30-minute limit of free wifi. It seems like it is becoming a global trend in coffee shops and other public places nowadays. Anyways here is the procedure to circumvent such limits by spoofing your mac address:

On a mac/linux:
ifconfig to find the status: active network interface. On the latest pros and airs, it should be en0. Note the mac address somewhere to revert back once the operation is complete.

sudo ifconfig en0 ether [new_mac]
sudo ifconfig en0 down
sudo ifconfig en0 up

On a win7/win8:
Seems like microsoft forces you to use one of those mac addresses:

X2-XX-XX-XX-XX-XX
X6-XX-XX-XX-XX-XX
XA-XX-XX-XX-XX-XX
XE-XX-XX-XX-XX-XX

You can change mac address by simply using a program like http://lizardsystems.com/downloads/changemac_setup.exe

How to crack windows passwords in 5 minutes

I’ve been meaning to write about this for a long time. Windows 7 at its core has a huge security flaw that can easily be exploited to log into any machine you have physical access to.

It all starts at the password-protected login screen (winlogon.exe). There you find 2 important information:
– The user names
– The accessibility shortcuts still work (try hitting leftalt+leftshift+printscr from the login screen)

To enable those, winlogon.exe executes another exe: sethc.exe (you may have already the sticky-keys dialog popup that it triggers)

The flaw comes from the fact that winlogon executes c:\windows\system32\sethc.exe no matter what the file actually is.
If you can replace that file with a command prompt, this means that you can access the prompt from the login screen.
this can easily be exploited to change the user’s password and bypass the login screen:

Anyways, here is the 5 minutes procedure:
1/ Reset the computer, hit F8 for boot options and select “Repair your computer”
2/ Start a Command Prompt
3/ Make a backup of sethc.exe:
move c:\windows\system32\sethc.exe c:\windows\system32\sethc.exe.bck
4/ Copy your cmd prompt:
copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
5/ Restart computer
6/ At login screen, trigger the sticky keys helper (ie. sethc.exe) by hitting shift 5 times
7/ With the new prompt, change the password:
net user [username] [pasword]

Don’t forget to restore the original sethc.exe file once you are done.

The downside of this method is, of course, the fact that you need physical access to the machine.
Still, the flaw has been existing for so long you wonder how come it’s still not patched up…

The illusion of phone security

My phone has become my everyday tool. I use it to check my mail, write blog posts, check my bank accounts, play games, perform transactions. I use it so much I often forget that it holds so much sensible data. If you were to get your phone stolen by someone, what passwords or accounts would he have access to? My phone checks my mail automatically on all my accounts. Very convenient. But I realized today that this convenience is an expensive asset. You think your paypal account is safe? Anyone can ask for your password to be reseted. If that someone has access to your automatically-checked mailboxes, he has access to your bank account, your facebook profile, and pretty much your entire digital life.

All of that digital life in the palm of my hands or in my backpocket is a danger I tend to overlook.

Some of you may have some locking mechanism such as a 4-digit phone pin… But really, when was the last time you made sure noone was looking as you entered your pin #… (even worse: most people choose the same pin # on their phone as their credit card pin #) I personnally think it’s better not to have any locking mechanism on your phone and behave like it has absolutely no security rather than believe in the illusion of its security.

I need to find another way to authenticate myself to my mail servers on my phone.