Skip to content

Feeling Safer?

Let’s get physical…

Almost everyone worries about computer security in one way or another.  Much is written about network security, of course, and lots of attention is payed to file and operating system security, often as it relates to viruses.

Security of your physical computing assets, however, is just as important, and perhaps more important.  If someone has physical access to one of your assets, say a desktop computer, laptop, server or router, then, given enough time, they can compromise that asset.  Without sufficient physical security, all of the time, attention and resources spent on other security matters can be wasted.

For example, someone who has physical access to a device that uses a hard drive can, in a sometimes surprisingly short period of time, clone a hard disk of your device, and then study that at their leisure at another location.  You might not even know anyone was there.   As another example, they could replace your passwords, giving the perpetrator access to all or a portion of your environment while locking you out at the same time.

It is a truism that you cannot hold out forever against someone who can gain physical access to your environment, and someone who has access can of course do untold damage simply by destroying computing assets.  However that does not mean that you cannot or should not take steps to protect your computing environment.  On the other hand, as with all things computer security, there is a risk/cost trade off (more on that in another upcoming blog).

So, if you haven’t done so in a while, it might be a good idea to take stock of the physical security of your computing environment, with respect to access and damage.

For access, you should consider questions like: Who has access to each device? Should the device protected by some sort of physical barrier to prevent access?  Are there multiple levels of physical security?   For example, if you are in a large corporation, your first layer of physical security might be a locked building with a guard. A second layer might be locating critical computing assets on a floor whose elevator requires a key to access that floor.  Finally, you might put particularly critical devices in a room whose door uses a keypad, fingerprint or even a retinal scanner, and log all access.

And don’t forget to consider that dropped ceiling or raised floor as you think about a high security area.  A locked door might not be as secure as you thought if someone can go over it via a dropped ceiling or under it via a raised floor.

Regarding damage, aside from a beserker with a sledge hammer, one big risk is fire. Of course, if the entire building burns down it isn’t likely that your computing assets will survive.  However, what if a smaller fire triggers the sprinkler system?  What will happen to your computers?

Naturally, the list of things that good physical security might entail is a lot longer than a short article can cover.  But this article can perhaps serve as a jumping off point to a review of the physical security of your computing assets.

Security of credit cards using “chips”

As you may know, starting in October the credit card companies are changing the rules on credit card liability for transactions where the credit card is present at the location of the purchase.  The idea is to encourage merchants and financial institutions to adopt the “EMV” (Europay/MasterCard/Visa) “chip” credit cards.

The EMV cards are generally considered to be more secure, because the chip creates a unique transaction code for each transaction, whereas if someone manages to read the magnetic stripe on a traditional credit card (and acquires the 3 digit verification number), there is nothing to stop repeated use of that credit card.

However, readers should be aware that there is a downside to the EMV chip technology.  While magnetic strips can be easily read (say, after theft of a card, or by a physically compromised ATM), magnetic strips cannot be read remotely.   On the other hand, the card chips can be accessed remotely.  Thus information on these new EMV cards can be read from a few inches away, even while the card is in your wallet or purse, by anyone passing near to you.  While some cards do not reveal account numbers this way (American Express claims to be in this group), others have been shown to do so.

So, what can be done to protect your new EMV credit and debit cards?  The answer is to protect them by blocking radio frequencies (RF) from reaching the card when it is not in use.  One suggestion is to wrap them in aluminum foil.  While this is 100% effective (providing what is known as a Faraday cage around the card), it is bulky and inconvenient.  A less bulky and more convenient alternative is to place the cards in an RFID shield sleeve.  These sleeves, available from retailers (Amazon, REI and many others), are inexpensive, and do not take up appreciable space in your purse or wallet, and should also serve as a reasonably effective Faraday cage to protect your cards – not only credit cards, but any card that uses this kind of chip technology, which might include educational institution cards, company security access cards, driver licenses and others.

3D printed TSA Travel Sentry keys Open TSA Locks


Last year, the Washington Post published a story on airport luggage handling that contained unobscured images of the “backdoor” keys of the Transportation Safety Administration, along with many other security agencies around the world, used to gain access to luggage secured with Travel Sentry locks. These locks are designed to allow travelers to secure their suitcases and other baggage items against theft with a key or a combination, while still allowing the secured luggage to be opened for inspection—ostensibly by authorized persons only. The publication of the images effectively undermined the security of the Travel Sentry system, since the images were of sufficient quality to create real-world duplicate keys….

A few enterprising hackers (in the correct sense of the word “hacker”) have put together 3D printable model files of the TSA keys and uploaded them to a GitHub repository. Now, rather than needing specialized skills and tooling to craft a duplicate Travel Sentry key, all you need is a 3D printer that can handle STL files (and that’s basically any 3D printer)….

Is this disheartening news? Not particularly. Locking your luggage has never provided any real additional protection against all but the most casual theft attempts (as evidenced by the fact that almost any piece of luggage with a zipper can be opened with a screwdriver or a pen regardless of how many locks are hanging off of it). The spreading of 3D printable Travel Sentry keys is more of a criticism of any kind of “backdoor” cryptography—be it one that involves physical keys or mathematical. The backdoor itself undermines any and all trust in the system.

Anyone who thinks otherwise is fooling themselves.

Feeling safer yet?