NEWS via Help Net Security: The 8th annual Malaysian security conference will feature a lock picking competition sponsored by TOOOL USA.

Jeromie Jackson excellent blog, Harmonizing Regulatory Compliance and Risk Management has a great article about Mr Jackson’s physical penetration test of a data center.  After failing to pick the Schlage lock to the data center, the team noticed a window which could be unmounted from the side of the door they were on.  After hurdling that barrier, it was just a matter of evading the other security layers until their objective (simply leaving a note, in this case) was accomplished.  An excellent overview of how even a layered security system can be compromised if the physical aspects of security are ignored.

There is a nice, short introduction to lock bumping and home security on safetyhomesecurity.net including some recommended bump resistant locks for home owners.  Its a little short on facts and specifics but otherwise gives a good, quick overview of the issue.

NPR’s All Things Considered recently (December 23rd, 2009) did a short article about Locksports (lock picking contests).  They interview Schuyler Towne, a well known lock picker, as well as, representatives from law enforcement and even a lock designer.

Due to the huge workload from some of my other projects, I am now releasing all of the safe manipulation software on AnalogHacking.com for free with direct download links. This includes the manipulation training and tracking aid, Contact Point Journal; the powerful, virtual replacement for magnifying aids & dial position measurement, VScale and, for those old school folks out there, a custom paper Vernier Scale creator, Vernier Scale Maker.

These programs are great for both the beginner in safe manipulation and the experienced professionals. Enjoy!

Everyone once in a while you run across a security device that is, well, just fun. One such device is the Knocklock made by the good folks at KnockLock.com.

Basically the Knocklock is a small computer that run on batteries (although an external power supply is supported) which listens for a series of knocks that you train it to recognize. Once the correct knocks are heard an internal relay in the device is activated. This can make all sorts of things happen, such as activating the electric strike* on a door. Even though the Knocklock can be programmed to recognize over one billion different codes, I really wouldn’t consider it ‘high security’ (especially considering that pounding out your combination could tip someone off pretty easily). However it could do any number of light security tasks, such as:

* Securing access to your kid’s treehouse (and it would probably make you the coolest dad/mom around)
* Give any secret passage or hidden compartment a real ‘haunted mansion’ feel
* A neat lock for your wine/spirits stash
* It would make a great Halloween display activator (just knock 3 times on the coffin and see what happens…)

The Knocklock

I put a Knocklock to work on the electric strike of a low security door in my office and it still makes me smile every time I tap out the code to open it. I must admit the Knocklock doesn’t work every time (you have to tap at a pretty fast and consistent rate) but even when it doesn’t open the first time, it is still probably quicker than fumbling for my keys (and lots more fun).

———-

* An electric strike allows a normally locked door to be opened because the part of the door frame which holds the door shut (the strike) has an electric release mechanism built into it.

Recently in a Barry “The Key” Wel’s blog entry, he describes a German Discovery channel show featuring FBI agent Ed Tickel. In the 1970s and early 1980s, Mr. Tickel was the ‘go-to’ guy anytime the FBI needed entry into a locked area. In the video (an excerpt is available on Barry’s blog) Mr. Tickel not only talks about his adventures fighting crime but also demonstrates his favorite lock opening method “impressioning”. Using skills like these he legally broke into various Mafia strongholds allowing agents to gather information and plant bugs without anyone knowing.

Unfortunately it appears that Mr. Tickel didn’t limit his activities to using his impressioning skills to helping bring the Mafia down. Instead suspicion over a possible attempted FBI credit union break-in and a luxurious lifestyle featuring a $10,000 boat and multiple sports cars caused Mr. Tickel to become a suspect of the FBI himself. Eventually he was convicted of transporting stolen diamonds across state lines. Mr Tickel himself denied any wrongdoing during his trial and suggested that it was a vendetta against him to cover up illegal surveillance he had conducted for the FBI. To find out more about the adventures of Mr. Tickel and his eventual downfall, check out the following book references/news articles:

Here is a link to a summary of the Washing Post story:
Former FBI Agent Gets 8 Year Term

An excerpt from “The Bureau: The Secret History of the FBI” that has a little more detail than the Post story:
The Bureau: Secret History of the FBI excerpt

And finally, after being convicted he claimed that the FBI used his talents illegally in several cases and this was used by a couple of Mafia members to file appeals:
Time Magazine Article

On October 13, 2007 lockpicking101.com reached it’s 50,000 member. Below is a graph showing the growth of LP101 since it’s inception (click to enlarge):

As you can see, since about July of 2006 LP101 has been growing at about 1,000 new members every 12-18 days.

Dean recently published on his blog (& YouTube.com) instructions for making your own handy under-the-door-tool (watch the video if you are not sure what that is). While information about these tools have been around for a while (for example, check out Hans Conkel’s book on Amazon: How To Open Locks With Improvised Tools) it’s ready availability on sights such as YouTube and the Make Magazine Blog are pushing this information out into the public like never before.

How do you defend against this sort of attack? Well since reverting back to round knobs is not really an option (due to ADA regulations) you might possibly try to mount the door handle facing straight down (as is suggested in one of Dean’s subsequent blog entries). However even if the door hardware made this change possible, this strategy could be easily defeated with a variation of the same tool. You could also look at limiting the gaps around doors to make using such tools more difficult (however, doors tend to sag over time making this difficult to maintain). Therefore it is critically important that you always design your security plan to defend against a single point of failure. Incorporating additional elements such as alarms and CCTV, which depend on radically different technologies than locks and doors, won’t suffer from the same weaknesses as these other security devices. Of course, even these technologies can sometimes also be bypassed or defeated, but having to remove multiple layers of defense greatly increases the difficulty in executing a non-destructive entry.

The Medeco M3, the new UL 437 and ANSI 156.30 certified lock (which specify protection from covert entry for 10-15 minutes), can easily have one of its three primary security features bypassed. The feature in question is the new slider mechanism which can be retracted with any piece of wire (including a paperclip) as is shown in this video by Marc Tobias:

YouTube Video

While this bypass technique doesn’t open the lock by itself, it paves the way for existing Medeco attacks including illicit key duplication and bumping.

A detailed written description is also available at:
The Medeco M3 Meets The Perilous Paper Clip