Entrepreneurs love media attention for themselves and their business. Any chance to get on television or in a publication is quickly jumped upon. The July edition of the Tri-Cities Area Journal of Business features a new section that focuses on young entrepreneurs, asking questions such as “Toughest career obstacle or decision” and “[what are your] lifetime goals?” You might be thinking, “what does this have to do with security? It conveniently relates quite nicely to what I want to talk about; security questions and answers.

Security questions are those questions that you get asked when you want to reset your password, or maybe even to log into a web site. They are typically some simple question that possibly you (hopefully) may only know the answer to.

Some common questions are:

• What city were you born in?
• What is the name of a pet or the name of your first pet?
• Favorite Movie
• Favorite song / book
• … and many other variations.

The problem with security questions is the answers to them are quite often easily found out information. Take the Journal of Business young entrepreneurs section. It offers a wealth of information that might be used.

Answers are typically less complex than a typical password injecting additional weaknesses into the security of your account. Why force a secure password when you don’t force a secure security question? Why are we giving up this information to the sites we log into every day? Because they asked for it, that’s why. We want access to the site and want the ability to reset our password or whatever other functionality the site has tied to the question/answer.

The solution is quite easy. Do not provide the real information. Generate a random answer and document that the same way you would your password. I recommend Password Gorilla, but there are many password archive applications out there to help you manage this.

As an aside, those of you that are being interviewed for publications do your homework first before providing information to somebody that says they are a reporter or journalist. One great social engineering method is to pose as the press to gain information. People love to talk to the press.

So my wife manages a retail store. Some time ago they were the proud recipients of a new safe for storing important things, such as money. This left their old safe languishing on a shelf, never to be used again. There sat the safe, for many moons, until one day my wife’s regional manager asked her why they had an extra safe sitting on the shelf. My wife explained that the replacement safe was more than adequate for their safe-having needs, and furthermore, it had been so long since anyone had used the little safe on the shelf that nobody knew the combination anymore. “Get rid of it,” says the regional manager, “I don’t care what you do with it, but make it disappear.”

This is where I come in… I volunteered to take the safe off her hands for the very reasonable fee of $I’llcomegetit, which she happily accepted. “But Aaron,” you’re probably saying to yourself,”nobody knows the combo. This safe is useless unless you spend a bucket full of money to pay someone to open it!” At least that was the general consensus among my friends and family when I bragged to them that I had a safe I couldn’t open. But I have a secret. A good friend of mine is a locksmith. He has this really neat gadget called an autodialer. It’s basically a stepper motor hooked up to a microcontroller that cycles through all the possible combinations until it finds the right one. Easy-peasy, right? Wrong.

We hooked the autodialer up, found the drop point for my dial, and set it to run. My locksmith friends told me that it could take up to 48 hours for the autodialer to find the right combination, so I left it in the garage, dialing it’s little mechanical heart out. As it turns out, the alignment on this device has to be spot on, because the stepper motor detects when it can no longer turn the dial and assumes that it has found the combination. Then it stops trying. Due to the mechanics of hooking the dialer up, it’s very easy to get it slightly out of alignment, especially when the dial on your safe doesn’t turn completely true, as was the case with my safe. This results in a dialer than thinks it found the combination, when it hasn’t. To make a long story short(er), we didn’t have the dialer lined up properly. We didn’t have it lined up correctly the second or third times, either. The fourth time, I thought we had it, and it dialed for about 25 hours before it stopped. Still no combo.

Fast forward three days… I’ve reset the dialer numerous times. Each time it dials for longer stretches, but always stops short of finding the combination. Somewhere in the middle of all this, we decide to call the safe manufacturer to inquire about drill points for this model, just in case. While on the phone with their friendly and helpful support staff, we discover that this safe uses a right-hand dial lock, rather than the standard left-hand dial. Which means we’ve been dialing the wrong direction for two days. Crap. We reset the dialer for right-hand dialing, and let it run for almost two full days. Still no combo.

At this point, we make the decision to drill the safe. I’ve seen lots of movies where people drilled into a safe and manipulated the lock, how hard can it be, right? Turns out it’s pretty hard. Even if you have the right equipment. And a lot of time. I mean a LOT of time. The actual drilling of the safe wasn’t too bad. The Locksmith has a nifty rig that attaches to the safe and holds a drill bit in exactly the right spot. You hook a drill motor up to this apparatus, and run the bit in slowly, so as not to break it. This particular door is 7/16″ thick, and has a 1/4″ hardplate, which is high carbon steel, behind it. Then there’s the lock body. Once you drill the hole, you stick a borescope in, line up the wheels, and you’re off to the races. Easy-peasy, right? Wrong.

First, you have to know where to drill the hole for the particular lock on your safe. If you’re a locksmith, this isn’t so hard. I was surprised to discover that if you’re not a locksmith, it isn’t so hard either. As I mentioned earlier, we called the manufacturer to ask about drill points. On the initial call, we were told that we needed to provide several forms of proof that we were either a) the legitimate owners of the safe, or b) qualified locksmiths working for the legitimate owner of the safe. We gathered the necessary info while the dialer ran it’s last run, and when it failed, we called them back. We should have just called back, since the second person we spoke with didn’t bother to verify any of our information. Instead, he gave us the “try-out combination”, which is the default combination as shipped form the factory. All safes have try-out combinations, and you would be surprised to find out how many people never change this default combination. He also gave us the drill points for a borescope, and for the fence. Without verifying any information. So if we HAD stolen this safe, we would now have the default combination, as well as the drill points. The default combo didn’t work, so we decided to drill for the borescope method. Easy-pe…oh forget it, it’s not easy.

You see, looking through the borescope and trying to line the wheels up is like trying to tie your shoes while looking through a telescope. Everything is so close, it’s hard to tell what you’re looking at. You also don’t get a perfect look at both the wheels and the fence, so you have to keep shifting back and forth, all the while keeping the wheels lined up. This requires patience, a steady hand, and patience. To make a long story short(er) again, we did finally get the safe open.

It is entertaining to me that the safe manufacturer would give out information such as the try-out combo or the drill points without any verification that the person on the other end of the phone was legit. It goes to show that social engineering is an important aspect of your security. If an attacker can compromise your security by making an anonymous phone call, do you really have any security at all?