Wednesday, December 14, 2005

Weakest Link Security

Schneier on Security: Weakest Link Security:

Funny story:

At the airport where this pilot fish works, security has gotten a lot more attention since 9/11. "All the security doors that connect the concourses to office spaces and alleyways for service personnel needed an immediate upgrade," says fish. "It seems that the use of a security badge was no longer adequate protection.

"So over the course of about a month, more than 50 doors were upgraded to require three-way protection. To open the door, a user needed to present a security badge (something you possess), a numeric code (something you know) and a biometric thumb scan (something you are).

"Present all three, and the door beeps and lets you in."

One by one, the doors are brought online. The technology works, and everything looks fine -- until fish decides to test the obvious.

After all, the average member of the public isn't likely to forge a security badge, guess a multidigit number and fake a thumb scan. "But what happens if you just turn the handle without any of the above?" asks fish. "Would it set off alarms or call security?

"It turns out that if you turn the handle, the door opens.

"Despite the addition of all that technology and security on every single door, nobody bothered to check that the doors were set to lock by default."

Remember, security is only as strong as the weakest link.

(Via Schneier on Security.)

No comments: