Monday, February 26, 2007

Black Hat Federal this week

If I were there, I'd definitely make a point of seeing Jose Nazario and Ollie Whitehouse. Both are delivering fairly new talks on the con circuit, and look like interesting stuff. If you catch either of the talks, let me know what you think?

Also, if you haven't heard already about the Chris Paget talk that has been withdrawn from the conference, go read this now. Then go make a donation to the ACLU for being the good guys.

Y'all know I'm a big supporter of responsible disclosure, but when I read things like this, I have to shake my head and wonder what the vendor is thinking.

"These systems are installed all over the place. It's not just HID, but lots of companies, and there hasn't been a problem. Now we've got a person who's saying let's get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where's the sense of responsibility?" Carroll said.

Yes, where is the sense of responsibility? Such as HID's responsiblity for delivering on their promise of a security solution to customers? Does HID deserve an opportunity to work with researchers to fix their security problems and protect customers? Absolutely. But these vulnerabilities have been widely known for over a year, and until now have been pooh-poohed by HID.

She [Kathleen Carroll, a spokeswoman for HID's Government Relations group] said that the company has long been aware that its proximity cards are vulnerable to hacking but does not believe that the cards are as vulnerable as Paget suggests.

"For someone to be able to surreptitiously read a card, they'd have to get within two or three inches and get into the same plane as the card," Carroll said.

HID is also concerned that Paget's demonstration will popularize the vulnerabilities in its proximity cards and endanger its many customers.

You can't have it both ways. Either you don't take it seriously as something to fix (in which case a conference talk is no real threat), or you do take it seriously and would have developed some sort of strategy or plan to solve the problem. Make up your mind.

Asked why HID hasn't addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause "major upheaval" among customers.

oh yeah, because their customers are really just shopping for a bit of security theater; something that keeps the lamer criminals out. I'm sure they would rather have a physical security system that can be trivially compromised by a skilled/motivated attacker using publicly known vulns than do what it takes to actually have a secure physical security system...

bah. makes me cranky.


Labels: , , ,


Anonymous Chantel said...

Well said.

6:18 AM  

Post a Comment

<< Home