First of all, you need some parts

• Practice Locks. The first one I used KIK (Key-in-Knob) locks.   Schuyler Towne sells them. (soon to be available to the public).
• Nice piece of wood for the Practice
• 1/4×20 Threaded Brass Inserts From Rockler,  or from LeeValley. For a larger list, check here. You can also use steel inserts, which are cheaper.
• Decorative Solid Brass Knurled Knobs from Rockler or from LeeValley You could use simple thumbscrews, which again are cheaper.
• Drill bits for the Threaded Insert. The size depends upon your wood, and your inserts. The brass inserts from Rockler says to use a 3/8″ for softwood, and 13/32″ for hardwood.
• Two (2) 1/4″x20 hex bolts. It is important that at least one of these is threaded all the way up to the top.
• 2 or 3 nuts to match the above bolts.
• A desktop drill press if you have one.
• A drill press vise is also useful.
• A small hand saw to cut the slots in the wood
• 5/8″ Forster drillbit (to drill the hole for the KIC cylinder)
• A wrench for the 1/4″x20 hex bolt.
• A combination square is useful for the layout
• Wood. The piece I used was 1″x1 3/4″x(depends on the number of locks)
• A 1/4×20 insert driver like this make make thins easier.

These measurements were for a Schlage KIK lock. Remember the #1 rule for woodworking:

Measure twice. Cut once.

Laying out the holes

The Schlage Cylinder is 5/8″ with the pins extending up 3/8″. The brass knurled knobs are 1″ long. Then need to extend into the hole to grab the cylinder, so the following are the key measurements

• 3/8″ for the pin slot or less
• 5/8″ for the cylinder
• 7/8″ for the brass knob threads, leaving 1/8″ to extend into the cylinder.

To help with the orientation, the slot for the pins  is on top, and the knurled knob is on the bottom.

Therefore the wood must be  3/8″ + 5/8″ + 7/8″ or 15/8″, which is 1  7/8″  or less. I used 1 3/4″

The center of the 5/8″ hole is halfway – or 5/16. Therefore measuring from the top it’s 3/8″ + 5/16″ = 11/16″

From the bottom it’s 7/8″ + 5/16″ or 19/16″ from the bottom. Mark the spot with a nail, or an awl.

Layout the circles on the wood, and drill the 5/8″ hole. From the bottom, drill a hole from the center of the 1″ wide wood using the 3/8″ or 13/32″ for hardwood. You may want to drill a recess first that is wide enough to fit the base of the brass bolt neatly into the wood.  After drilling this, drill  a 3/8″ drill hole must go all the way to intersect the 5/8″ hole. This hole fits the outer diameter of the thredted insert. The recess hole should be shallow (only 1/4: deep).

Using the Lock for a guide, mark the slots for the cylinder. Better to cut to narrow than too wide, as you can make the slot wider later. At this point, the lock should fit into the hole.

Repeat this for each lock. Well, it’s better to measure all of the 5/8″ centers at once. If you screw up, cut the end off, and try again. Notice I did not say what the length of the wood it. That depends on your mistakes and the number of lo

You may want to sand the wood at this time.

Next step -Brass inserts.

The next step is to install the brass screws. Even though there is a slot you can insert a screwdriver, this does nto work with hardwoods. Also – the insert might go in crooked. There’s a special trick to installing them.

Put the insert into the wood (at the bottom of the piece, and insert a 1/4″x20 hex bolt into ths insert. This bolt MUST BE THREADED ALL THE WAY to top. If there is an unthreaded shaft, when this shaft reaches the insert, it will split the insert.

Hold the wood vertical with the drill press vice. Place it under your drill press. Now take another 1/4″x20″ bold, turn it upside down, and place the head on top of the head of the bolt in the insert. Put 2 or 3 nuts onto this bolt, and use these nuts to grip the bolt in the drill press.   Essentially – this makes sure you are 100% perpendicular.

Now use the adjustable wrench and grip both bold heads. Turn the bold heads so it forces the insert into the wood. By using two bolts, and turning  both simultaneously, you make sure the threads go in perfectly straight.

Stop when the threaded insert is flush with the wood surface.

If you use steel, then things are easier because steel is stronger. But I like the looks of brass.

At this point, you repeat this step for each of the locks. If the threaded insert sticks up a little, you can use a file to remove the excess brass.

The results looks like this

What does this mean?? Security researchers have been discussion the latest news about hackers getting data from RSA related to the SecurID authentication token. I have one and used it for years. The SecurID fob is simple to use. Every 30 seconds a 6-digit number is displayed on the device. You log onto a computer by typing your username, your PIN, and your 6-digit number. Since that number is unique to your device, only the owner of the device can use it to log in.

I’ve seen many interesting discussions on the RSA Breach, but I felt the threat analysis was incomplete. Since RSA said nothing, I’ve made some assumptions, and analyzed those assumptions.

Assumptions

I’ve made some assumptions about what might have happened. If these turn out to be false, then the threats are not as severe. But let’s set the foundation.

The 128-bit SecurID algorithm has been obtained

It’s well known that in 2000, someone who claims to be I. C. Wiener published the source code to the algorithm. However, others have said this is the old 64-bit version of the algorithm, and that the newer algorithm is based on 128-bit AES. The Russian name Wiener looks like a joke, BTW. It really doesn’t matter. First of all. Kerckhoff’s Principle says that the security should not be based on secret algorithms. Besides, if the hackers were inside RSA, they could have obtained the algorithm. Alternatively – they can reverse engineer the client application for the iPhone, Blackberry, Android, etc.

We should not assume that the algorithm is secret. I have not seen it published, but that does not matter. We have to assume it’s known.

The files containing seeds and the corresponding serial numbers were obtained

The SecurID token generates seemingly random numbers, which are used to authenticate users on a computer. The numbers are predictable once you know the serial number of the device, the special seed number, and the time (as the numbers change every 30 seconds). The time is of course guessable. Each device has a clock and it might “drift” or get out of sync with the real time, but the server allows some “slop” in which number is valid, and it recognizes the drift each token has. If a device’s clock is always slow, the server can learn how much it is off, and accurately know which number is showing on the token. I’ve seen email from people who know that imply that this data was obtained. The files that identify the company by the token serial number was obtained If this is true, then knowing the serial number of the device will tell you the name of the company that purchased the device. I have an old version, and a new version, and both of them have serial numbers greater than a million. I don’t know if these are sequentially numbered. But there must be an algorithm, and if a company orders 10,000 tokens, it is likely the numbers are close together, if they aren’t sequential. Summary of the SecurID Technology This section is for those who don’t understand the algorithm.

Steve Bellovin used a nice way to describe the technology. Let’s call the number being displayed on the SecurID token the TokenValue. There is a hash algorithm H, such that TokenValue= H(Seed, Serial Number, ClockTick) The ClockTick is based on the date, and/or a counter inside the device. It’s not considered a secret. And when a customer logs into a server, they enter Username PIN+TokenValue The server uses the username to look up the serial number, and/or the SEED value (perhaps the serial number is used to look up the SEED value.). If the generated TokenValue matches the number provided, and the PIN is the same, the user is authenticated. I call this calculation a hash value, because cryptographers describe hash functions (also known as one-way functions) as something that is hard to reverse. Knowing the token value will not help you learn the seed and serial number. It’s difficult to make a whole potato and a slice of corned beef from a serving of hash.

Threat Model

When analyzing risks, it is important to consider that the goal of the attack is – what is the threat model? The SecurID token provides a one-time password (OTP). That is, if someone learns your password and pin, (from a keystroke logger, shoulder surfing, of man-in-the-middle attack) then they do not have the ability to gain access to your account. Other threats not related to the SecurID technology include Sniffing passwords on the wire – HTTPS prevents this Brute force attacks on a server – the server should detect this and block the account when too many attempts fail. The SecurID technology does not address these issues.

Attack Probabilities

Let’s consider those pieces of information that are needed to do an attack. All five pieces of information is needed for an attack to be useful.

Can the attacker guess the SecurID Serial Number?

This information is written on the back of the SecurID fob. Some people attach it to their keychain, and it might be glimpsed. In addition, RSA may have records that associate the serial number to a company. If so, the search space is limited to the number of tokens issues. Let’s say a large order is 100,000 tokens, or about 2 to the 17th power (217). But it could be as small as 500 tokens. Let’s just say that the chances were formerly a snowball chance in Hell, but now the chance of a snowflake falling on your head.

Can the attacker guess the SecurID Username?

Of all of the values, I assume this is the easiest to guess. There are conventions used by each company and if you know this convention, you can predict the username. It could be a ID number, or a combination of letters from the user’s name. Usernames are rarely random. I therefore assume this is trivial.

Can the attacker guess the SecurID Pin?

This is also a concern. Some people, because of their belief that the SecurID token is secure, use a weak or trivial PIN. It may even be a 4-digit number.

Can the attacker guess the SecurID Company/Website?

Of course it’s essential to know where the token is useful. If the hacker has a SEED and serial number, they have to get the company, username and PIN. But we can’t assume this is a hard problem.

Can the attacker guess the SecurID Seed?

This is the crux of the issue. The largest threat is caused by the loss of the SEED files. Why is this? Because the seeds are the most valuable. The estimated number of stars in the Universe is 100,000,000,000,000,000,000,000. That’s a 1 followed by 23 zeros. The 128-bit seed, if generated correctly, should be a random number. The number of possible combinations are 2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 That’s 3 followed by 38 digits, which is about 3,000,000,000,000,000 times larger than the number of stars in the universe. By knowing which seeds are used, the difficulty drops from 2128 to the same as finding the serial number (217) or less.

Threats

As I see it, there are three major threats

• Brute force attack social engineering
• Observing and cloning a SecureID Token – An increased ability to do a brute force attack, and
• the ability to replicate the SecurID Token.

Before I go into depth of the analysis,

Threat of a Brute Force Attack on the SecurID Token

Let’s first assume that the attacker guesses of knows the user PIN. People use (and reuse) simple PINS, like “abc123.” The username is guessable. If we then assume the company has 1000 tokens, the problem is to find which token belongs to a person. If there are 1000 tokens, then the attacker can try 1000 times. The attacker can spread out this attack across several different IP addresses, and try several different accounts, over a period of months. If the company does not know of the increased number of failed attempts, they may not realize a brute force attack is happening. This attack is a real possibility. It could happen once a year.

Threat of using Social Engineering to obtain the SecurID Token

This attack is easier, if the support team is unsophisticated about social engineering attacks., A user can contact the help desk and say they got a new token, but it’s not working. Then they can read off the serial number (using one where they have the SEED value), and if the account is reset, the attacker can gain access to the account because they can generate the token value. The attacker can likewise ask them to reset the PIN.

Threat of SecurID Token Replication

The third attack can occur if the attacker is able to observe the actions of a legitimate user. They may get a glimpse of the token value, and the serial number on the back of the token. They may see the username, and guess the PIN. This can be done by watching someone log in. After all, people assume SecurID is secure, and the user may not care if they are closely watched during the login process. Knowledge of the token value gives the attacker a way to identify the serial number. by a brute force attack using the list of serial number and seed values obtained. The attacker has to include some “slop” in the synchronization. But a brute force attack on 217 combinations does not take long. Also, if someone is able to observe the login sequence once, and they have the SEED values, they can predict future sequences. This is a brute force attack, but the difference is that this is done off-line. In other words, it cannot be detected. This says that the ability of the SecurID token to provide one-time-passwords is significantly weakened. If the account is either watched (camera, shoulder surfing, keystroke logger, man-in-the-middle attack, etc.) then the credentials can be re-used without the owners knowledge.

Conclusion

In the worse case scenario, there are three threats that exist that did not significantly exist before. Two can be addressed. The third one cannot. Brute force attacks can be detected. Single accounts can be disabled, but if the brute force attacks are against all users, the only way to prevent this is to issue new tokens. Social engineering attacks are possible, and customers can be alert for them, and prevent them. However, the biggest protection of the SecurID One-Time-Password is broken. It can no longer be assumed that if the attacker can observe one authentication transaction, they will be unable to re-use those credentials. We has to assume the hackers who got into RSA are able to re-use SecurID credentials. That is, if they can observe one authentication sequence, they can replicate the credentials without being detected.

1. It’s large, flat and thin. Like the air, but thinner.
2. It’s great to watch videos and TV. Think of a portable television in your house. Carry it around the house. It might need some sort of media server in the house to store all of the videos. But with rumors of a TV subscription service, this would make an idea media appliance for the house.
3. It’s wireless. No power cord need to be attached. Nothing ugly attached to it.
4. Inductive charging. You may want several  wall mounts, or easel displays around the house that you can rest the device when you are watching, or not. You don;t have to plug anything in to recharge it.
5. When watching video, an iPhone, or iPod Touch can be used as a remote control.  You have one anyway. No need to get up to change the channel. This makes the table a fashion accessory for the house.
6. It has a touch interface. It’s a tablet.
7. The user interface is enhanced. While some say guestures,  I will predict an iPhone-like interface, with picture-in-picture capability. Each frame has its own  iPhone -like state. This provides multitasking. Shrink and expand each picture to “dock” an application. There may be a taskbar to allow switching and muti-tasking.
8. It will have a magazine subscription service. Eventually the magazine can have embedded links. But that will be slow at first. It’s a New Media thing.
9. It will have cellular connectivity. When we say portable, we mean portable.
10. It has bluetooth. There is no way you will hold a 10-inch device to your face to say hello. Instead you use a bluetooth microphone. You will carry it with you anyway.
11. It supports tethering. If you have an iPhone, there is no reason to pay for both accounts. Instead, one will connect to the other, and they will use a shared account.
12. It can be docked to a keyboard. Imagine placing the device on an easel with a keyboard and disk. This makes it a nice desktop for extended work. There may even be a notebook that folds, so that a keyboard is one side, and the tablet is on the other side. Unfold it, and set up the easel, and a power-user can go to down.

1. Some companies don’t care about security.
2. Some make a token effort to secure their products, and the executives think things are just fine the way they are. After all, they haven’t been hacked yet. So they must be okay. And Joe, the guy who designed the security, is a sharp guy. True,  they asked him at the last minute to bolt on some security, and they gave him a fixed budget and an extremely short deadline.  And Joe delivered.
3. Some realize that there are major issues, but don’t have enough money to do the job the right way.

All three types of companies are in trouble. But only one type realizes it. It’s going to take some stimulus money to fix this. Adding security is a tough business decision.  How many customers are willing to pay more and get less functionality?

But let’s assume companies find some funding, and address their security issues. Should there be a fourth category – those companies that have perfect security? No. Their security may be adequate for today, but if they stop advancing, their security gets weaker over time. Security is not the same as simple engineering.  You can solve an engineering problem once, and the product will always perform the same way.

Security is not like this.  Do nothing, and your security degrades. The more time passes, the more the security degrades. Some of the components of the new Smart Grid is suppose to last 20 years in the field.  There is no way a secure system will remain secure for 20 years.  Computers become faster, and can do brute force attacks faster every year. 56-bit DES was secure. Then 10 years ago, in 1999, someone prooved it;s no longer secure..  Same thing happened with the  was the MD5 hash.  Look at the recent Voting Machine Hack. Checkoway and his colleges found a way to hack into a machine where all of the software was in ROM.  It’s a clever hack, and not one the designers imagined 10 years ago.  And 10 years is a long time for security. Can we really think we can build a smart meter that will be secure for 20 years?

Companies are ignorant about the risks of  security. This is not surprising. The only reason a company goes public about a hack is when they are forced to admit it.  How then, is a company able to calculate the probability of a hack? Frankly, security is primarily guesswork and funding decisions are based on public interest, and not on where it’s really needed. Instead, companies rely on hope and prayer. After all, if nothing happens, the security must be okay.

How can we be protected from companies who are forced to makes decisions driven by customer demand, and by that I mean the customers demand lower prices for their utilities. Why should the consumer be forces to pay for blunders on the vendor’s part. And companies can’t measure the risk of inadequate security. It’s pure guesswork.

So what;s the solution?

We have an organization that protects the health of consumers – the FDA, and in particular, the FSIS . They make sure the food we eat is safe. They have more than 7,800 inspectors. Local health inspectors check restaurants for violations to protect the public. To quote Wikipedia,

The vital services of FSIS have touched the lives of almost every citizen, every day in America. FSIS is accountable for protecting the lives and wellbeing of 295 million U.S. citizens and millions more around the world.

Why can’t we do the same thing for Cybersecurity? Let’s  set up an agency that breaks into our infrastructure systems. If they succeed, the company gets fined. The details of the problems are kept confidential.

That should keep the companies on their toes. This agency will only get better over time. This cyber-FDA  a great place to train our hacking talent. They will develop their own tools. The tools are kept internal to the organization.  We shouldn’t give weapons to our enemies. The cost of the organization would not be that high to maintain.  There is also a chance of promotion into other government agencies, for our top hackers.

And perhaps the fines they levy on companies can be used to do more research into security. Seems like a win-win situation.