Philosophically Secure

It’s one thing to learn about buffer overflows, reverse engineering, and SQL injection, but it’s a lot more helpful to actually do them hands-on. Damn Vulnerable Linux, a distribution based on Damn Small Linux, comes with all the outdated, unpatched, highly vulnerable software you could possibly want in a security playground. It also comes with plenty of tools to help you exploit the plethora of available vulnerabilities.

This is perfect for someone looking to do some hands on hacking in a safe environment. Just load up DVL in a VMware virtual machine and have at it. To make things even easier, there’s a “getting started” video, and several built in lessons.

Do you trust standard RFID cards to perform a security function? Probably; most companies use electronic access cards based on RFID, such as those made by HID, to open doors. Unfortunately, they’re not much more secure than a secret handshake - someone could easily watch you do it, and then repeat it himself as needed. Granted, this isn’t news, since we all know that RFID is capable of being cloned. It’s even been done with the new US passport.

Why, then, is this fiasco at Black Hat in DC taking place? Chris Paget, of IOActive, created a simple proof of concept RFID cloner in his spare time over the course of a month. He then put together a 75 minute briefing on how it works, and how to build your own. There was no reverse engineering or hacking necessary, since RFID technology has been patented and therefore public knowledge.

Unfortunately for Mr. Paget, he demonstrated his device at the recent RSA Security Conference, using a typical HID access card and reader. HID happens to be one of the best selling implementations of RFID cards, and is a big company with too many lawyers. So when they came across the video of his demo, they decided it infringed on their intellectual property and therefore was not appropriate for presentation at Black Hat. Of course, the fact that Paget was going to show that unencrypted RFID should not be used in presumably secure access cards (the products that HID sell) had nothing to do with it.

Reminicent of the Cisco escapade at Black Hat in 2005, HID contacted IOActive and the conference organizers, demanding that they cancel the talk and remove the slides from everyone’s printed materials. Once again, there was a lot of ripping paper out of conference proceedings to do.

I can’t blame them for giving in to the legal pressure, since defending themselves in a legal battle would be much too costly. The real losers in this situation are you and me. First of all, they are restricting what appears to be free speech, in the name of protecting corporate interests. Second, as RFID technology becomes ever more pervasive, I believe it should come under increased scrutiny. Not only are RFID chips appearing in all kinds of products, but they are also embedded in our passports and the new “Real ID” identification cards. Full disclosure is the right answer here, not security through obscurity.

Luckily the truth will get out, someone else will release the schematics for this or another simple cloner, and HID and its competitors will be forced to reexamine their implementations. At the very least, having this fiasco in the headlines will alert more corporate security folks to the vulnerability of their favorite access solution.

If you’ve ever wanted to see how a German Enigma machine encrypts something, this Flash demo is perfect.

Like other rotor machines, the Enigma machine is a combination of mechanical and electrical systems. The mechanical mechanism consists of a keyboard; a set of rotating disks called rotors arranged adjacently along a spindle; and a stepping mechanism to turn one or more of the rotors with each key press. The exact mechanism varies, but the most common form is for the right-hand rotor to step once with every key stroke, and occasionally the motion of neighbouring rotors is triggered. The continual movement of the rotors results in a different cryptographic transformation after each key press.

For more on Enigma’s history and mathematical foundations, check out the Wikipedia site.

Dark Reading has done a survey of “black hats” to shed some light on what they call the top 5 myths about hackers. I’m not sure how you take an accurate poll of people who want to be completely anonymous, but I guess they have their methods:

In a survey of 116 individuals who spend at least part of every day trying to break into systems they’re not authorized to access, we received a lot of feedback from people who don’t fit either the image of the pimply-faced script kiddie or the hardened criminal. And, for the most part, they’re anxious to break both stereotypes.

Some of the results are surprising to me, while others are pretty obvious. Yea, it’s no surprise that only one of the people they surveyed was under 18. The younger kids probably wouldn’t talk to them, nor would they be as well known in the community. It’s also pretty obvious that hardly anyone they talked to admitted to hacking for profit. If I was a criminal making money, why would I admit that to a magazine survey?

Now the part that did surprise me is the last myth. Apparently, black hat hackers are not worried about getting caught by corporate security or law enforcement. I would have thought that’s one of their primary concerns. Then again, they do talk about covering their tracks, which is done to prevent getting caught. So maybe they really are a little worried, after all.

Suppose you are a software vendor and you discover a serious security flaw in one of your popular products. How should you deal with the situation? You could try to hide it and hope no one else discovers it, or you could release a patch with full details of the vulnerability. Of course, there are several options in between those two, and this article in the ACM Queue discusses how to choose one. There are other considerations once you decide on an approach, such as how much detail to disclose, whether or not to give credit for the discovery to an external organization, and the timing of the announcement.

Overall, the following possible approaches are covered: silently patch; patch and announce without details; patch with full disclosure; announce without patch.