Security Review: Husky Union Building
The Husky Union Building is the center of life on campus. It is home to the Associated Students of the University of Washington, hundreds of student clubs and organizations, the university bookstore, food vendors, university employee payroll and accounting, information services, games area, campus-wide lost & found, US Bank, bike shop, hair salon, newsstand, event services, and many more departments.
Needless to say, there are many assets to protect in such a large, public space. Some of the more notable ones include the fully operational branch of US Bank, which resides on the ground floor. Clearly there is a lot of money as well as private records stored in the bank that must be protected. In addition, there is an accounting office on the third floor of the building that maintains records containing personal information about university employees and their jobs. These records must be protected in order to prevent crimes such as identity theft or tampering with payroll documents.
There are many adversaries who might want to break into the HUB. These include bank robbers looking to steal cash from the bank branch or from the multitude of ATMs in the building, identity thieves looking to steal private employee information, malicious employees looking to alter work records for profit, homeless people seeking a warm place to sleep, people attempting to steal items from the lost & found, vandals, etc.
The Husky Union Building has many weaknesses. First, it has many entrances and exits that must be monitored. There are countless doors that must be manually locked and unlocked at the proper times, and if just one of them is overlooked, an adversary can gain access to most of the building. This is analogous to having a lot of unfiltered ports open on a computer; the more potential entry points there are, the greater the risk. In addition, there are many windows on the ground floor that are accessible from the outside. This can be especially problematic during the summer, when people open their windows and sometimes forget to lock them when they leave. Another weakness the building has is that it is a very public place where lots of people work, so it can be hard to identify someone who shouldn’t be there, even after hours. The HUB doesn’t have a building-wide security system, and many staffmembers have keys to the building, so it’s not uncommon to see someone walking around inside, even late at night.
The HUB does have some defenses against adversaries. Every night, there is a trusted student employee, called a Student Building Manager (SBM), who walks around and makes sure everything is in order. The SBM is in the building as late as 12:30am on some nights, and has keys to every room in the building so he/she can check up on things. The SBM has a radio, and can call the nearby UW Police at the first sign of trouble. In addition, there are safes at various locations in the building that are used to store valuables, such as money and records. These safes, which are already in locked rooms, are an example of a defense-in-depth approach that was chosen by the building administration.
Despite these defenses, the HUB is definitely still at risk. The Student Building Managers, for example, keep their building keys on their personal key chains so that they can get in and out of the building after hours when they need to. It would be trivial for an adversary to steal one of these keys from a student and use it to gain entry. In addition, the system relies on trusting the SBMs, and although they are experienced staff who have shown responsibility and have perfect track records, they are still susceptible to malice and could do a lot of intentional harm. In addition, one of these students could forget to lock a door properly and unintentionally allow someone to gain access.
In conclusion, the HUB is a large entity that cannot easily be protected. There are rudimentary security measures in place to deter casual adversaries, but in truth it wouldn’t be too hard for an outsider to gain access. The university should consider installing a more robust security system in the building, or at least set up some kind of surveillance. It also wouldn’t hurt to have a security officer walking around on each floor, rather than one student employee who leaves at midnight.
Comment by rybolov
March 20, 2008 @ 8:47 am
So why don’t you break the HUB down into enclaves?
That way, you have an bank enclave, an accounting office enclave, and an information services enclave where each entity is responsible for their own security. Then give away the commons, or at least provide the same basic level of security that currently exists. IE, instead of having surveillance cameras everywhere, you only have to have them around the enclaves, where all the good targets are located.
I think if you look at it that way, you’ll find that the natural inclination is to enclave off certain areas and that inside the HUB that has already happened.
If you don’t limit the scope of what you protect for common access or public areas, you’re no better off than people trying to secure the Internet, and we all know how effective that is. =)
Comment by Spyder
March 21, 2008 @ 5:08 am
You guys may want to take a look at your own postings in terms of security. Came across this through a Wired.com article mentioning the class. I think the site is awesome, in the terms that I think along these lines as well and find it great to see new viewpoints.
However, it seems you went with “security through obscurity”. And now that the obscurity has been lost, you might wish to take another look at your security.
Is it really the best thing to show that there are current establishments that have some issues that need to be looked at? I understand posting about future systems (ie. RFID cards, smart guns). But pointing out that the Husky Union Building contains the relevant information it does AND is possibly not secure as it should be?
For myself, this seems like something to (possibly) post a summary of for the public only (if even that), and limiting the full review to only your class. Then, follow up with speaking with someone (with the power to correct it) about the possible security risk.
However, the reverse side of that coin:
I would not like to give up my freedoms and live in 1984, be constantly monitored by video, or walk down the streets and see concrete barriers around buildings and along the streets.
Comment by FireWolf
March 21, 2008 @ 6:59 am
“However, the reverse side of that coin:
I would not like to give up my freedoms and live in 1984, be constantly monitored by video, or walk down the streets and see concrete barriers around buildings and along the streets.”
What planet are you living on where in 1984 you were walking down a street being constantly videotaped/monitored? Did you work for the mafia?
Living in society today is worse than 1984. At least back then, you could still get gas below $3.00/gal 😉
Comment by Kris Plunkett
March 21, 2008 @ 8:24 am
In response to Spyder’s comment, I would agree that there are situations where making certain security vulnerabilities public degrades the security of the system and may not be the best immediate approach. However, I feel that, for several reasons, posts such as this do not fall into this category.
First, in my opinion this particular post does not give enough details outlining how one would actually go about attacking the HUB. Similarly, a while ago the BBC did a Newsnight showing how some Cambridge researchers were able to attack the “chip and pin” credit card systems in the UK. They told as much as they could but left out the important details that would have enabled anyone to execute the attack just by watching the show.
Second, any worthwhile criminal is already going to know all of this, and if they don’t, discovering it would only take a half day of observation and simple social engineering.
Finally, I believe that this information being made public does much more for the public in general through public awareness than it would benefit any criminal or would-be criminal.
However, I completely agree that anyone doing a security analysis, whether amateur or professional, should carefully consider the actions they take upon finding vulnerabilities in an important system. No fear! We did in fact discuss this in an ethics component of the course.
By the way, I think that the REAL security risk here is already present: the fact that a student (the SBM) walks around at night with the keys to all the doors. Trusted or not, that makes me more than a bit nervous.
Comment by Kris Plunkett
March 21, 2008 @ 12:31 pm
Firewolf:
Spyder is referring to the book titled “1984” by George Orwell, in which he depicted a futuristic (at the time it was written) dystopia in which the government exerted complete control over its citizens and privacy non-existent. It is a fascinating read that I highly recommend!
Comment by DocMara
March 24, 2008 @ 6:36 am
One way of making things more secure is paradoxical. You reduce vulnerability by increasing its publicness. Instead of locking things up, create public spaces where students can be there 24 hours per day. After all, students are actually UP at all hours. Open a public safety branch IN the HUB and better train students to monitor their surroundings. Universities may rather have students be preyed upon in the dark bars and apartments surrounding campus, but there is a certain responsibility to provide brightly-lit and semi-safe common areas for people to, you know, learn. The more good guy “eyes” you have, the less likely you will have predation and chicanery.
Comment by Munin
March 26, 2008 @ 7:06 am
Increasing public access is not really a solution unless it is a reasonably tight community and the public present knows the people who have access to the secure areas by sight. Otherwise you are effectively leaving the building open to anyone who looks comfortable and confident.
One way of increasing security in this case would be to have pictures/posters of the student officers/employees prominently posted on noticeboards. If they have public duties these would serve a dual function of improving security and helping people find the correct person to talk to.