But it does rather focus the mind, and, as promised, this blog post is to cover the issues we had, the complacency and errors, and some of the steps we have now taken.
Posting any details of our security may be a potential risk, but apart from considering the impossibly small set of people that read my blog and are involved with criminals in the area, I am also restricting this to stuff that you can deduce yourself if you visited or cased the joint anyway.
What happened
The went away and came back with a small van or estate car, drove up to the door and broke in. It seems they brought a drain cover, the role of which is unclear. Somehow (also unknown) they forced the doors. They then quickly grabbed four iMacs, two 30" apple monitors, two iPad minis, two laptops, and took a TV off the wall (one so old we were about to throw away).
They were clearly in a hurry, but spent around 5 minutes on site. Police say they would have assumed a silent alarm. They grabbed kit and took it, breaking connectors in some cases, and dragging stuff off desks as they went. Clearly in a hurry.
What they did not take
What they did not take was a surprise. I will not list everything, for obvious reasons, but there were several high value items in the room they did not consider, and some easily disposable items such as a brand new TV in a box, two brand new monitors in boxes, even a box of expensive whisky. However, if you are going to turn over an office like ours they missed a very obvious and high value set of items - the chairs. Herman Miller chairs run to hundreds each and are routinely sold second hand with no serial numbers. But they did not bring a big van, so probably why they did not touch them. My guess is the chairs were worth the most in terms of easily movable items.
Surprises
They took iMacs and iPads. As we understand it these will never be usable as they are, being locked to apple IDs. They knew to turn off the iPads, for example, to stop them being traced. The only idea here being that they can break stuff down for spares.
What we can learn from that
A really obvious thing that you just don't think of is that the value of an item to a thief is very different to the owner. We have lots of valuable stuff, valuable to us, but not something they could sell. They did not touch the boring black generic monitors or the generic linux under-desk PCs. Once assumes that (a) they knew there was lots of apple stuff, and (b) they have a means of disposal for it.
What we did wrong
This is obviously something we can go in to more detail on, having fixed it all. It comes from over 17 years of not being robbed - complacency.
To get to the office they had to breach two mag-locked doors. Now, if you have ever tried, a mag-lock is damn strong. They do not come apart and you will damage the door frame before they do. We are at a loss as to how they breached the outer door as it is pull not push, but the inner door may have been shocked by a heavy object (perhaps the drain cover).
Having just mag-locks seems silly in hindsight, but the fact you have to get passed two of them, and the alarm would sound anyway and we would know and be there in minutes, is why we did not worry too much.
Unfortunately there were issues - the outer door closer was not quite right, and could leave the door ajar (now fixed). The staff that locked up were adamant this was not the case, but it would have been easy to miss. Even so, the mag lock may be force-able with a crowbar on the door or some such, no idea.
The other big issue is that the alarm was not set. For this I blame the total stupidity of alarm systems. If something upsets them for any reason, and you try to set them, they will just not set. This is bad design, in my opinion, and annoys the crap out of me. It seems something (a previous false alarm / error) left the system in "RESET REQUIRED" state and so it did not set that day. There was no obvious way for staff to see that it was not set. This is something we have fixed!
Another annoyance is the installers for the alarm system (a proper alarm company) did not fit any of the door sensors. Every door has a reader and mag-lock and that reader will work with a door sensor. They don't fit as a matter of policy as too many support calls!
Had the sensor been fitted then I would have been alerted with a "DOOR FORCED" alarm as soon as they got through the outer door even though the alarm was not set. I would have been there with a camera and a phone calling 999, within around 2 minutes. We have had false alarms (numpty cleaners) in the past and know we can get there very quickly.
Other issues - the car park has a gate and we are meant to shut it, but it has a combination lock that is fiddly, had an obvious code, was routinely left with the code on display, and nobody bothered to lock. This was not just us, but the other units in Enterprise Court. We suspect that blocking physical access would have stopped or hindered the burglary.
So, lots of separate errors compounded the situation - they got in and took stuff and we did not even know until next morning. They could have driven a truck up to the door and spent an hour cleaning the place from top to bottom if they wanted to!
Deterrent
We have set up internal security cameras that are obvious and include the lobby areas. We have even put a monitor in the lobby to show the camera feed so people see themselves on screen when casing the joint.
We have put smoke cloak "security fog" labels on the doors.
Detection
We have wired every single door to have a door sensor, some with more than one. This means that even if the alarm is not set a forced door will alert staff.
We have set up new reporting systems to alert multiple staff of any alarms or issues. We have remote viewing of the security cameras so any staff alerted can see the office, see if a real break in, and call 999. Of course, I can be there in 2 minutes as well, but the cameras almost remove the need for that.
We have added additional sensors as well. We have also gone to a lot of steps to make it very very clear to staff if they have, or have not, set the alarm at the end of the day. Not going in to details, but there are several separate indicators to staff including text messages.
Prevention
We are no longer relying on a simple mag-lock on the main doors. We have a very nice, professionally installed, motorised deadlock which claims to stand a tonne of force.
The fact that the deadlock engages is one of the things staff can easily see to confirm the alarm is set.
We have a new lock for the gate - one that uses up/down/left/right movements in a sequence. Once you can set, in the dark, with gloves on, and does not leave the combination on the display. Everyone in Enterprise Court is taking security more seriously now.
Mitigation
Once someone does get in - and that is possible as they could just break windows - we have taken further steps.
Some simple steps anyone can take, given what we now know, is Kensington locks. Everything is locked down - in one case kit is locked to a very heavy drain cover under a desk, but mostly stuff is locked to the desk. This does not stop someone taking stuff - simply having bolt cutters gets passed these, but it adds time and delay. They have very limited time to get stuff.
The other big change is a smoke cloak - this is awesome - it makes it so you can barely see your hand in front of your face, or the floor to walk safely, within around 15 seconds. It takes a good ten to fifteen minutes to start clearing even if opening all of the windows. It is around £2k, but very cool. See the video.
Data security
Something we have considered is data loss. The machines taken were very much terminals in that they did not store any data locally - they were used for email and web access to secure systems. That does not rule out cached copies on the machines holding personal data. Obviously all stored passwords were immediately changed, and the machines taken were locked to an apple-ID and wiped if they ever see the light of day. But we have ensured replacement systems (mostly linux) have encrypted file systems, just in case.
Conclusion
Don't wait to be robbed - think of every step: Can you deter them - visible signs of security and cameras; Can to detect them - good alarm systems; Can you prevent them getting access - good locks; Can you mitigate what they do - smoke cloak is awesome.
Does the smoke cloak not present a H&S risk in the cases of a nuisance alarm ?
ReplyDeleteSeems unlikely that anyone would set the alarm and set it off with staff in the room, but it is, none the less, a small room, and if there was no fire at the same time staff can simple stay where they are until it clears. In practice none of the staff had any issue finding windows to open and coping, albeit slowly, to navigate the room when tested. So no - take your elves with you.
DeleteHow about this scenario:
Delete- Cleaners set it off accidentally
- they call the fire brigade
- fire brigade soak your computers.
How about (a) we don't have contract cleaners any more, (b) if fire brigade called they see the big sign saying smoke cloak installed and are experienced enough to tell glycol vapour with no smell from real smoke
DeleteIt is almost worth leaving some "shiney" for them to pinch to steer them away from the £WorthMore
ReplyDeleteI've experienced Mag Lock security before, you could open the door of a previous employers computer room with either a sharp pull or a thump on the door below the mag lock. The security company that installed it stated after the fault was reported the Mag Locks weren't there to keep door secure and wouldn't fix it. It was a very well known security company so a small local installer.
ReplyDeleteThen one must wonder, what were they there for?
DeleteQuite. They obviously are meant to provide some level of security.
DeleteMag locks only work when the power is on and are easily subverted.
DeleteYes, they are access control, not security. There is a big difference, & you should probably consider a claim against whoever put the door in if they didn't fit a lock!
If you come to 44con or any of the other good conferences (you just missed bsides London) come and have a chat. I'll be the one surrounded by locks.
Wouldn't mind betting that they assumed that boxes of TVs and stuff were/could be empty. At least, you'd be pretty annoyed if you broke in somewhere and then discovered that you'd made off with a stack of empty cardboard boxes. :)
ReplyDeleteI have never installed mag locks on external doors without stating very clearly to my clients that the mag lock is *not* sufficent for insurance purposes! Firstly, if the mains fails or the mag lock fails, then it will unlock the door, and if that happens when you're not there, well, you can imagine the rest. So I always insist upon there being a physical lock present also, and my preference there is that it should have a fail secure strike on it. They're OK for a building which is 24/7 occupied, or for daytime access, but out of hours a physical lock is best. And they are trivial to pop open, you just apply a lot of pressure right at the bottom of the door and the torsional forces will cause the maglock to pop open. Usually done by having one person sit and tension the door, and another person then give it a good boot.
ReplyDeleteThe mag locks all have battery backup so if power fails we can go in and use a mechanical key.
DeleteDoesn't stop a PSU failure from dropping the power to the mag, nor does the mag lock failing itself! And if the PSU fails, and nobody notices (do you have power fail monitoring on them?) then when the battery runs flat it's open again!
DeleteLots of monitoring.
DeleteLol, I bet you do now ;)
DeleteWhat alarm system are you using and how can you use SMS to notify if it's not set? We use ADT alarms - would be nice if they offered an API to check this? I assume you do something like checking if it's unset after a certain time of day.
ReplyDeleteGalaxy, and we just reverse engineered the Ethernet logging.
DeleteDavid - check out Selfmon.co.uk - they do their own Galaxy Ethernet board, as well as a monitoring service. I have one at home :)
DeleteThis comment has been removed by the author.
ReplyDeleteLook at something like the Abloy EL560, this is a 'proper' access control lock with a shoot bolt. Main advantages is that it's a normal lock which fails secure in the event of complete power loss, has a normal euro cylinder for key override, and also meets all of the building regs so you don't have to have it fail-open in the event of a fire alarm
ReplyDeleteHave a look at the Abloy EL560, this is a "proper" access control lock in that it fits into the normal lock location and has a physical mortice lock on it.
ReplyDeleteIt also fails-secure in the event of a power fail, and has a euro cylinder for jey override. It also satisfies the building control lot who normally say access control should fail-open in the event of a fire alarm.
I think that's what they've had installed now.
DeleteDo you have any issue with the Fire Alarm and the Smoke Cloak?
ReplyDeleteThe smoke alarms go off, but they are not linked to anything. The fire alarm does not have smoke detectors in there. There are, however, specific types of detector that can be used, so we'll probably add some.
DeleteShould point out that the SmokeCloak and all others have a scent added so it is ready to tell the difference.
DeleteAlso, make sure it actually had the effect you want. If the doors are propped open, does the smoke ball simply float outside? It needs to 'splash' and spread through the room.
@RevK. Are you able to share the Galaxy Ethernet code that you've written?
ReplyDeletehttp://aa.net.uk/free/galaxy.c
DeleteThere are, of course, different tiers of monitoring services. Not sure what they are though. At any rate, our sales rep also attempted to sell us monitored heat/smoke/CO2 detectors (which were quite expensive, but don't remember the exact prices). Also a couple of home automation features that I promptly nixed as well.Penrith CCTV systems
ReplyDelete