Our Experience at the Lock picking village at AusCERT 2015
One of our Loop security experts, specialising in penetration testing. He advises Loop clients on various aspects of information security. In this post he points out common mistakes that should be avoided to guard against internal network attacks. If you have a question for him, please email email@example.com.
I was invited to attend AusCERT 2015 to run the ‘Lock Picking Village’ where participants were provided with a free set of lock picks and an introduction on how to pick them. Personally, I’ve held a long interest in lock picking since my final years of primary school and since then I’ve realised more and more how important physical security is to the overall IT security. This is shown time and time again by the success of our many internal penetration tests where we are able to take control of an organisation from within in an extremely short amount of time.
I arrived first thing Tuesday morning around 9:30AM at the RACV Royal Pines resort on the Gold Coast. After a red-eye flight and some initial concern about baggage allowances I successfully managed to convince Virgin airlines to fly some 75 KG of Lock Picks and an additional 25 KG of locks, safe dials, vices and assorted tools. Turns out that it’s not okay to try and take large locks as carry-on (even if you are below the weight limit); the airport staff won’t let you.
Immediately after arriving and before even setting up properly I began to have people who were attending training, trickle by and start getting their pick-sets and asking for demonstrations. The overall skill level of the participants was quite low; however everyone was eager to learn, and excited to own their own pick sets. Many enquired as to the legality of owning lock-picks and their use and I told them that, while I’m not a lawyer, the possession of lock-picks in your home/office is legal as long as you have a justifiable reason for possession (as a security professional, that shouldn’t be a problem). Many participants throughout the conference got quite involved and by the conclusion several had shown quite a keen interest and developed quite a bit of skill.
Over the next few days, Wednesday, Thursday and Friday we managed to hand out over 480 sets of lock picks and teach over 500 participants how to pick successfully, almost everyone that was present managed to pick at least one lock. I was able to discuss various organisations’ physical security posture and discuss Loop’s penetration testing services and introduce the concept of ‘red-teaming’ to a number of organisations. Several delegates had high praise for the ’training’ we did.
I was blown away at the enthusiasm of the delegates and the number of participants in the Lock Picking village. I’ve run similar events at conferences and have never had the same numbers of people show such a keen interest in physical security. This may be as a result of the target audience being different to the usual ‘hacker conferences’ that I attend where participants are generally more familiar with locks and physical security in general.