Jeromie Jackson excellent blog, Harmonizing Regulatory Compliance and Risk Management has a great article about Mr Jackson’s physical penetration test of a data center. After failing to pick the Schlage lock to the data center, the team noticed a window which could be unmounted from the side of the door they were on. After hurdling that barrier, it was just a matter of evading the other security layers until their objective (simply leaving a note, in this case) was accomplished. An excellent overview of how even a layered security system can be compromised if the physical aspects of security are ignored.
Harmonizing Regulatory Compliance and Risk Management
The Medeco M3, the new UL 437 and ANSI 156.30 certified lock (which specify protection from covert entry for 10-15 minutes), can easily have one of its three primary security features bypassed. The feature in question is the new slider mechanism which can be retracted with any piece of wire (including a paperclip) as is shown in this video by Marc Tobias:
YouTube Video
While this bypass technique doesn’t open the lock by itself, it paves the way for existing Medeco attacks including illicit key duplication and bumping.
A detailed written description is also available at:
The Medeco M3 Meets The Perilous Paper Clip
You might think that the alt.locksmithing newsgroup would be a hive of leaked physical security secrets, but this is really not the case. Alt.locksmithing has long been frequented by professional locksmiths who both dismiss offhand any spilled information and spread misinformation in an attempt to confuse the readers.
However in 2000, a character called Freddie the Wire started opening talking about things which locksmiths had held as closely guarded secrets for years. The more Freddie posted, the larger the flame war became and the more Freddie responded with secrets. Suddenly information on drilling safes, bypass techniques, spiking, drill points, shimming padlocks, lock picking and impressioning was posted on Usenet for everyone to read.
No one will ever accuse Freddie of being a master of the English language and his postings should probably be rated PG-13 (at best). However, through the stilted wording and creative punctuation is a wealth of information.
Of course, Freddie’s legacy hasn’t gone away. Thanks to Google Groups, Freddie’s prose it still available today. Just a reminder once again that the Internet makes retrieving, retention and duplication of information (even locksmithing secrets) easy.