Presented at The Last HOPE (2008)
July 18, 2008, 6 p.m.
This talk will be a systematic approach to dissecting and disabling multiple layers of physical security in locks. In this presentation, the focus will be on embedded design defects in high security locks, and how their discovery translates into security vulnerabilities and the disclosure of such flaws. The attack methodology for high security locks will be reviewed. Demonstrations will include case examples, examining tolerance exploitation, code design analysis, and leveraging the interaction of internal components within a locking system to achieve different types of bypass. The application of this program in the development of covert, surreptitious, and forced methods of entry will be examined. Also discussed will be the concept of responsible disclosure upon the discovery of security vulnerabilities, and how this concept applies to both those who discover flaws and to the manufacturer that produces them, and why the same concept becomes a technical, logistical, legal, and financial minefield for manufacturers.
Marc Weber Tobias
as Marc Tobias
Marc Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. As part of his practice, he represents and consults with lock manufacturers, government agencies, and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored six police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths, and those responsible for physical security. A 14 volume multimedia edition of his book is also available online. His website is at http://security.org.
Matt Fiddler is a security researcher whose analysis of lock bypass techniques has resulted in many public and private disclosures of critical lock design flaws. He began his career as an intelligence analyst with the United States Marine Corps. Since joining the commercial sector in 1992, he has enhanced his extensive expertise in the areas of Unix and network engineering, security consulting, computer forensics, and intrusion analysis.