tech

RFID proof of concept pulled from Black Hat

On February 27, 2007, In hacking, legal, security, tech, By eugenekogan

Do you trust standard RFID cards to perform a security function? Probably; most companies use electronic access cards based on RFID, such as those made by HID, to open doors. Unfortunately, they’re not much more secure than a secret handshake – someone could easily watch you do it, and then repeat it himself as needed. Granted, this isn’t news, since we all know that RFID is capable of being cloned. It’s even been done with the new US passport.

Why, then, is this fiasco at Black Hat in DC taking place? Chris Paget, of IOActive, created a simple proof of concept RFID cloner in his spare time over the course of a month. He then put together a 75 minute briefing on how it works, and how to build your own. There was no reverse engineering or hacking necessary, since RFID technology has been patented and therefore public knowledge.

Unfortunately for Mr. Paget, he demonstrated his device at the recent RSA Security Conference, using a typical HID access card and reader. HID happens to be one of the best selling implementations of RFID cards, and is a big company with too many lawyers. So when they came across the video of his demo, they decided it infringed on their intellectual property and therefore was not appropriate for presentation at Black Hat. Of course, the fact that Paget was going to show that unencrypted RFID should not be used in presumably secure access cards (the products that HID sell) had nothing to do with it.

Reminicent of the Cisco escapade at Black Hat in 2005, HID contacted IOActive and the conference organizers, demanding that they cancel the talk and remove the slides from everyone’s printed materials. Once again, there was a lot of ripping paper out of conference proceedings to do.

I can’t blame them for giving in to the legal pressure, since defending themselves in a legal battle would be much too costly. The real losers in this situation are you and me. First of all, they are restricting what appears to be free speech, in the name of protecting corporate interests. Second, as RFID technology becomes ever more pervasive, I believe it should come under increased scrutiny. Not only are RFID chips appearing in all kinds of products, but they are also embedded in our passports and the new “Real ID” identification cards. Full disclosure is the right answer here, not security through obscurity.

Luckily the truth will get out, someone else will release the schematics for this or another simple cloner, and HID and its competitors will be forced to reexamine their implementations. At the very least, having this fiasco in the headlines will alert more corporate security folks to the vulnerability of their favorite access solution.

Inside the Windows Vista Kernel: Part 2

On February 23, 2007, In microsoft, tech, By eugenekogan

Microsoft TechNet has released their March 2007 issue, which includes part two of Inside the Windows Vista Kernel. This article covers dynamic memory management, ReadyBoost and related features, and the new Credential Provider architecture (replacement for GINA). It’s a good overview, but I wish there was more detail available. This is at least a start for someone trying to decide which aspects of Vista to really dig into. Part one of the three-part series is also available here.

Virtualization Security Risks?

On February 23, 2007, In security, tech, virtualization, By eugenekogan

This article on Dark Reading presents several security risks created by virtualization – at least according to a few experts. I think they are neglecting to mention enough of the security benefits that virtualization technologies (such as VMware and Xen) can provide. In my mind, the advantages of virtual machines outweigh the few added risk areas that are listed.

Yes, the hypervisor is a “new layer that’s another opportunity for attack.” However, if you convert 10 physical servers into 10 VMs running on one hardware platform, you just decreased your exposure on the hardware and physical security side from 10 to one. That’s especially true if the servers were running on disparate hardware platforms, which is often the case. You would have fewer drivers to worry about updating, and require less floor space in a secure data center.

There is also the mention of “VM sprawl” in the article. The idea is VMs will pop up out of no where and be unmanaged and unprotected, since the proper security controls will not be in place. In my experience, I have not seen enterprise VMs created by accident or somehow without the VM administrators knowledge. Sure, someone can download VMware Server and load up a virtual machine on his laptop. But that’s no different than the problem of users downloading other unauthorized software – you have to try to prevent it with policy and technical controls on the workstation.

In fact, I believe VM technology will improve our ability to manage servers, and keep our security policy enforced. Using a product like VMware ESX, you can configure a “template” VM, and deploy it as many times as needed. For example, you can make a template for your standard Windows 2003 server, with all the patches, configuration settings, security tools, and typical applications – then deploy it 10 times, and you’ve got 10 good servers up and running. There’s one less excuse for not having time to properly setup security before deploying a server.

Overall, I’m glad this topic is making some headlines, to get those of us in the infosec world thinking about virtualization. As always, there are trade offs that need to be taken into account.

NIST Releases New Security Guides

On February 22, 2007, In security, tech, By eugenekogan

NIST just released three great guides relating to network security. SP 800-45 is entitled Guidelines on Electronic Mail Security [pdf], and addresses topics such as securing a mail server, content filtering, various email standards, and of course email encryption and signing.

Also new, SP 800-84 is called Guide to Intrusion Detection and Prevention Systems [pdf]. It discusses IDPS technologies that are network-based, host-based, designed for wireless networks, and those that do network behavior analysis. The document has a good overview of how IDPS works in general, and goes into details of the various implementations. There’s even a section on how to select the right product for your situation.

The third new document is SP 800-97, Establishing Wireless Robust Security Networks [pdf]. This is basically a guide to the IEEE 802.11i standard, which provides much-needed security enhancements to the familiar 802.11 family of wireless standards. The first few sections are an overview of 802.11, with some history lessons on WEP and why it was such a failure, but the rest of the document is great for anyone trying to understand what 802.11i has to offer. Now if I could just get my neighbor to put a password on her access point…

SETI Finally Finds Something

On February 21, 2007, In legal, security, tech, By eugenekogan

A guy who runs SETI@home on a bunch of his computers used it to locate and recover his wife’s stolen laptop! The SETI client application sends its results to the main database every few days, and then downloads new work to do. Well, when this connection happens, the SETI database logs the client’s IP address. After his wife’s laptop was stolen, James Melin repeatedly checked his SETI page to see if the laptop was checking in. Sure enough, whoever stole it didn’t bother to reinstall anything, and just hooked it right up to the Internet. His IP address was logged and provided to the police, who then subpoenaed the ISP for the physical address of the customer it was assigned to. An excellent use of SETI, if you ask me.

Philosophically Secure

Eugene Kogan's blog on information security and software engineering

RFID proof of concept pulled from Black Hat

Inside the Windows Vista Kernel: Part 2

Virtualization Security Risks?

NIST Releases New Security Guides

SETI Finally Finds Something

Links

Categories

Archives

Meta