Password Leak Analysis
On December 4th, 2014, the Toni Areal – a newly renovated area – in Zürich was in a state of panic. The reason: Someone triggered the alert at the Zürcher Hochschule der Künste (ZHdK) – known in English as the Zurich University of Arts. It was the third alert in three weeks and the initial nonchalance about the alert, due to the phenomenon we all know from the old fairy tale The Boy Who Cried Wolf, soon was replaced by serious concern. In announcements over loudspeakers, the police advised all people inside the building to hide in rooms that can be locked, stay close to the ground and stay away from windows. Apparently, someone was running amok at the ZHdK.
This state of fear and staying in hiding lasted for hours. Police searched the 1400 rooms of the university with the intervention unit Skorpion, a unit that can be compared to a SWAT-Team. Approximately 100 Polizeigrenadiere – policemen that are more heavily armed and armoured – were on scene, about 5000 people were locked in the building and stuck to the orders given by police (some more, some less) using the building’s speaker system. At 11.55am everyone was relieved to hear that there was no danger. However, on that day, no classes would be taking place. Everyone inside the building was asked to leave the building in a calm and orderly fashion.
In this video, people talk about their experience and how they reacted. Quotes rage from I didn’t believe anything was wrong, this is Switzerland after all by the woman with the French accent in the beginning to I doubted that there was anything wrong, but I had to assume that it was right by the German speaking man following the French woman and ultimately this whole police operation must have cost a lot of money by the man with the headphones in the end.
During the event people were wondering: Was it a really bad joke? Was there someone who really did not want to take a test at the university that day? If that’s the case, then did the police overreact? Or should every potential threat be addressed as if it’s the potentially worst case, risking that people will shake their head and claim that it was an overreaction after the fact?
To judge a situation in which threats have been made that are believable is incredibly difficult and for a layman probably completely incomprehensible. But what happened on December 4th was – as seen after the fact and analysis of the facts – a grand technological error. The alert, that ended up costing _several tens of thousands of Swiss Francs according to Marco Cortesi, Zürich police media spokesman, was triggered by someone dialing the wrong number and getting to an automatic, secret alert number. This didn’t happen on purpose but by accident and the caller was probably unaware of it until the police showed up.
To better understand how that works: The ZHdK has an emergency number – for this article, we’ll use the fictional number 044 XXX 1324 – set up that every time someone dials the number the alert is triggered. However, if someone wants to dial a friend whose number is 044 XXX 1234 and accidentally calls 044 XXX 1324, the alarm is triggered. Actually, it’s quite amazing that this system – undoubtedly designed with the best of intentions – hasn’t been accidentally triggered until today. Because the mechanism is about as fragile as putting a train’s emergency brakes right above the button that opens the train’s door and have the emergency brake button look exactly the same as the one that opens the doors.
A lot of people in InfoSec remember Wardialing, a technique that has aged quite a bit. Using dedicated software, people used a modem to call a certain range of phone numbers and note which numbers respond by, let’s say a fax machine or a – as it was used in most cases – modem that was used for remote access. Wardialing gained global attention when it was shown accurately in the 1983 movie WarGames. It is quite worrisome that it would have been easy, trivial even, to trigger the alarm at the ZHdK and thus mobilize a massive police force.
In our projects, we tell our clients that security by obscurity is not a valid model of security. Of course, it’s a valid option to store the authentication mask under
/admin/, but it’s a far better option to have a multi-factor authentication implemented. And that’s exactly what the ZHdK should have done in some way shape or form: At least a message alerting the caller to having reached an alert hotline that offers the caller a five second window to hang up the phone before the alarm is triggered. Or a combination of numbers to enter so that the alert is not triggered by accident. Given the fact that we’re living in the year 2015 now, it’s very probably technologically feasible to have something like that and thus, a lot of time, hassle and money could have been saved.
The ZHdK has deactivated the alert hotline. An emergency measure, as the media reported. Which measures are taken to replace the hotline is unknown. I hope that the incident on December 4th has led to some lessons learned and ultimately leads to the certainty that incidents like the one on that day can’t repeat themselves. It is these incidents that lead to polemics, to exaggerated criticism of the police – who reacted amazingly well considering they had to assume that this was a serious and immediate threat – and insecurity should the worst case occur for real.
Still: If you’re working a wardialer in the canton of Zürich, it’s probably good practise to just be careful. Because safe is safe.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here