RE: FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack
Topic: Computer Security
9:58 am EST, Jan 7, 2008
Gunter wouldn't go into detail about how Boeing is tackling the issue but says it is employing a combination of solutions that involves some physical separation of the networks, known as "air gaps," and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn't want to discuss in public.
"There are places where the networks are not touching, and there are places where they are," she said.
What?! Either the networks are connected or they are not. There is no middle ground. This isn't some enterprise network where you've got to have connectivity and you put in a firewall but every once in a while a virus outbreak happens anyway and you loose a day. This is an airplane. One virus outbreak on your internal network and you kill a lot of people. Conclusion: REAL, REAL f*#king stupid!
Agreed, this is completely insane.
On the other hand, I'm sure abaddon would love to fly his own 747, and now he can! Might not be worth the trip to guantanamo however.
w00t is Merriam-Webster's Word of the Year for 2007 - Boing Boing
Topic: Computer Security
10:24 am EST, Dec 13, 2007
Voters at Merriam-Webster's Word of the Year 2007 poll have chosen "w00t" as 2007's most iconic word. M-W says that the word is a gamer's acronym for "we own the other team," but I'm inclined to think that that's a backronym, a back-formed acronym created to explain a word already in use.
I am simultaneously amazed and annoyed at the misattribution of this word.
Not to mention that they at least 5 years, possibly 10 years behind.
Four teams of researchers from universities in the U.S., Canada, Poland and the United Kingdom begin competing today in Portland, Oregon, to win a prize for the best open-source voting system. The three-day University Voting System Competition, which ends July 18th, is sponsored by the National Science Foundation.
Some interesting approaches will be demoed here.
And then, likely, promptly ignored by everyone.
Sorry, too cynical?
I really do hope it goes somewhere, but I'm not betting on it.
This is rather magical, considering that the tag is credit card-thin and contains no battery. The trick is the same as for RFID tags. The reader constantly transmits a rather strong carrier; the tag derives its power and clock from this carrier, kind of like a crystal radio. The tag changes how much carrier it reflects back at the reader—loosely, it makes the circuit across its antenna more like a short or more like an open—to transmit its code. The reader and the tag both have antenna coils tuned to the carrier frequency; they work like a loosely-coupled resonant transformer.
I'm not sure this is a correct assumption in all cases. Certainly there are many passive cards (perhaps most of them?) which utilize the induced current from the sensor to drive the action of the card.
I believe, however, that there are also active cards, with an internal battery, which work by receiving an activation signal from the reader, thus causing them to transmit their ID. Crucially, the range of that transmission wouldn't be related to the power of the reader's signal, because it's generated internally. You could trigger the card to send it's ID from arbitrarily (as powerful as you could make the signal) far away, but the card's never going to transmit with enough power to be read at that same distance.
The one semi-sensible thing the HID representative said was that a cloning attack would be far more difficult for such active cards. Not impossible, just difficult. You really would have to get the cloning sensor within a couple of inches, perhaps less.
I know for a fact that I've had cards which contain batteries and when they fail, the reader does nothing... not denial, not error, nothing. This indicates to me that the card itself controls the power and therefore the range of the signal carrying the ID code.
That being said, if such a cloning attack is so hard, why is it so dangerous to release schematics for a cloner? It's paradoxical for the company to say simultaneously that the attack is almost impossible to execute and that it's a dangerous and irresponsible thing to discuss.
The truth is at the crossroads of all these things. For some cards, this is a danger, for others, much less so. Regardless, customers of these systems will get nervous and it'll cost the vendors time and money, possibly a lot of it. Ergo, no matter how real the threat is, the vendors will shut it down so as to save the implicit loss of customer trust. They should rely on their customers to listen to them when they say, "Yes, this was demonstrated, it's not a threat against X, Y and Z product lines because of A, B, C reasons and product line Q is being phased out for precisely these reasons." Twisting the legal system to derail security research is wrong.
HID has claimed that teaching others about the information violates two of the company's patents, IOActive's CEO Josh Pennell told reporters in a conference call on Tuesday. On the advice of lawyers, Pennell would not describe other details about the claims.
This really does seem completely insane. How, in any rational sense, can this violate patent law. I thought the only way to violate a patent was to produce a *product* which incorporates methods or technologies that have been patented. Are they trying to make the claim that since information is the product of this company and researcher that the words themselves are derivative works? I don't get it.
"If I say anything, HID will sue us," he said. "Large companies have lots of resources, and small companies, such as IOActive, don't."
It feels like July, '05 all over again. I feel bad for the researcher... maybe abaddon can send him one of those fancy White Hats with "Good" emblazoned on the front, just as a consolation.
I like the statement
Asked why HID hasn't addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause "major upheaval" among customers.
In other words, "we know our shit is insecure and it will cost us a lot to fix it and even more if our clients" -- government being the largest, presumably -- "get freaked out." What a bunch of garbage.
"These systems are installed all over the place. It's not just HID, but lots of companies, and there hasn't been a problem. Now we've got a person who's saying let's get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where's the sense of responsibility?" Carroll said.
This is a direct re-hash of the arguments made against Mike 2 years ago. "It's all for publicity." "It's irresponsible."
Of course, it's totally ok to sweep known security issues under the carpet and pretend everything's secure for your government clients...
Security Absurdity; The Complete, Unquestionable, And Total Failure of Information Security.
Topic: Computer Security
5:08 pm EST, Nov 29, 2006
A long-overdue wake up call for the information security community.
This popped up on Slashdot recently. I'm curious to get feedback from the security experts here at Memestreams.
I'm no security expert, but he seems about on target to me. He has someone in there quoted as saying the internet is "one exploit away from a complete meltdown" and know of at least one memestreams regular (ahem) who can certainly speak to that (though legally not in great detail).
Guardian Unlimited Technology | Technology | Scientists, be on guard ... ET might be a malicious hacker
Topic: Computer Security
11:38 am EST, Nov 28, 2005
He believes scientists searching the heavens for signals from extra-terrestrial civilisations are putting Earth's security at risk, by distributing the jumble of signals they receive to computers all over the world.
Now why didn't I think of that!
[ This concept has been found in sci-fi for as long as there have been networks of computers. Vernor Vinge, in particular, comes back to the concept of manipulating plantary data netwoks in many books (including the pre-cyberspace-era True Names, which is considered a very important work by many very smart people). I don't think we have much to worry about. Not because I don't think it can be done... surely digital computers wouldn't be beyond an advanced race, but becuase I think they'd have to be nearby. Latency to other star systems is a bitch.
I suppose it's not impossible that some race is broadcasting a cleverly mutating virus targeted at digital systems, but I kinda doubt it. -k]
CRM News: RFID : Chase Bank Rolls Out Contactless Credit Cards
Topic: Computer Security
1:39 pm EDT, Jun 13, 2005
Security experts familiar with the cards' radio frequency identification (RFID) technology, described by Chase as "contactless functionality," expressed some concern over the devices' security strength. Some have suggested that they may make it easy for perpetrators to commit fraud or identity theft.
Saw an add for ChaseBlink tonight. This ought to be interesting... Contactless credit card purchases. No signature. No pin. Just waive it over the reader. I can tell you how I'd have designed it, but I would be suprised if there were no vulnerabilities here.
While this is rather elaborate, a computer controlled rfid device connected to increasingly common cellular wireless internet systems relays the transaction to another reader, maybe taped to a chair in a shopping mall foodcourt.
[ I just got one of these in the mail. I had been a BankOne customer, and then Chase bought them up. So my BankOne visa is now a Chase visa with Blink. I'm not 100% happy about it. I think this one may end up getting cancelled, since I'm not *really* into walking around with a foil wrapped credit card. Still, if anyone's got a reader, we might be able to play with it... i'm kinda curious what's on there.
[ My feelings echo Tom's somewhat. I think the most dangerous aspect of these machines is the certification process, pre-election access to the devices, malicious or shitty code, and hardware failure.
If you could pull smartcard shenanigans, as Decius says, it'd be all over... no one pays attention once you walk up there and pop in the card. I did notice that the cards were yellow today, but were white the last time i voted. Perhaps you'd need to take the step to match the color if you were gonna swap.
The machines plainly indicate how many votes it's taken for the day. When i went at about 10 am, my machine had already processed about 30 votes. That's only 10 an hour, so maybe each machine registers 100-250 votes... Even if somehow you could get 2 minutes per person average, you could only cram in 360 for the day. As Decius says, this substantially mitigates the effect of a single machine compromise... the election would have to very close.
I'm still not happy with these things, overall, but it could be worse. -k]