Proximity access cards are no more secure than a standard key .. and easily replicated with a $10 (to be released) tool. This was shared on ZDNet and with Motherboard. I have highlighted 2 key sections below for those interested in greater detail definitely check out the article. If you are lucky enough to see the presentation live at BlackHat, that will surely be better.
While RFID technology can help secure enterprise offices in this way, the ease in which these access controls can be hacked has hit the spotlight in the form of a tiny device which costs only $10 to make.
Researchers Mark Baseggio from security firm Accuvant and Eric Evenchick from Faraday Future are the developers of the Bluetooth Low Energy device (BLEKey), a coin-sized device which skims RFID cards, allowing users to clone items such as access cards.The team says the release of the tool is “valuable for understanding the risks associated with insecure access controls and what steps companies can take to lower the risk of access control attacks.” – ZDNet Article
I would raise the point that these attacks can now be down so easily that can the “control” of access control physically be fully trusted from a third party assurance perspective, an industry perspective such as PCI, or risk management? One could argue that cameras support this protection, but those are only employed after damage has been discovered and insufficient for all of the stakeholders involved.
“We wanted to create a device that would concretely and absolutely show and hopefully put the final nail in the coffin that is HID prox and Wiegand. These devices are no more secure than a standard key.” – Motherboard, Baseggio
The difference though with a ‘standard key’ is that takes some crafty spy work to make a copy without the owner being aware. To copy a HID card would take only seconds – at a gym, lanyards left at a desk, etc …
Glad the research cycle is exposing these risks and looking forward to creative approaches to counter it.
p.s. My new book – How not to be hacked is available and is PERFECT for your family and friends who keep getting smashed by online criminals, malware, and account hijacks!
Interesting quotes from guys that demonstrated attack vectors in Google’s Chrome during Blackhat 2011:
“The software security model we’ve been dealing with for decades now has been reframed,” Johansen said. “It’s moved into the cloud and if you’re logged into bank, social network and email accounts, why do I care what’s stored in your hard drive?”
- An important illumination regarding the shifting of the risk landscape. How the user interfaces with data and the system has changed and challenges the current technology controls relied upon to safeguard the intellectual property.
- What is the effective rate of end-point security (malware / phishing agents, anti-virus) on this new user case?
- What is being deployed and effective – policy, procedure, technology, a hybrid?
“While the Chrome browser has a sandboxing security feature to prevent an attack from accessing critical system processes, Chrome extensions are an exception to the rule. They can communicate among each other, making it fairly easy for an attacker to jump from a flawed extension to steal data from a secure extension.”
- Speaks to the issue of convergence of apps that are emerging on iPhones, Androids, respective tablets, TVs, browsers, operating systems, etc… Similar to the fragmentation attacks of the past – where packets would be innocent separate, but when all received they would reform to something capable of malicious activity.
Interesting extension of risk here is that the platform and / or devices may be trusted and accepted by enterprises, but it is these Apps / Widgets / Extensions that are creating the security scenarios. This requires a policy and process for understanding the state of these platforms (platforms here including all mobile devices, browsers, and similar App-Loadable environments) beyond the gold configuration build.
Another article on the Google Chrome extension risk described above.
Posted in information security, Security
Tagged 2011, best practices, blackhat, chrome, cloud computing, Compliance, cybersecurity, defcon, google, it compliance and controls, IT Controls, PCI DSS, Security, virtualization
Joseph Black a counter-terrorism expert spoke at Blackhat on Cyberwar and the challenges of communicating the threats to leadership. A few core highlights of that talk:
“…toughest thing about predicting terrorist attacks was getting people in power to take the predictions seriously and to do something about it.”
- Similar challenges exist within business organizations where risk landscapes may be incomplete or lack linkages across the enterprise’s business elements and information security programs.
- The media attention to data breaches though may create clarity on this threat.
“Validation of threats will come into your world,” Black said. “There is a delay to that validation. This is the greatest issue you are going to face.”
- Meaning it will occur, but definitive examples and “reasons for deterrence” will not arise until it has already occurred. So appropriate to begin maturing the minimization and management of valuable data and the incident response capabilities…
“…We are moving from the Cold War to ‘code war.'”
- A code war yes for governments, but the driver for business leaders is the notion around businesses and nation states stealing intellectual property (which is defined loosely and inaccurately by many) to create competitive alternatives OR to bolster local quality of life for a unit of people.
There are interesting public examples where digital attacks created an advantage for an attacking force, and achieved the results that would have required military kinetic force. Two examples include the hacking of Syria’s radar software in 2007 that allowed for the bombing of a nuclear reactor (Syrian radar screens were made blank), and Stuxnet that caused the centrifuges to spin aggressively while displaying readings to operators showing normal operation (this caused a multi-year negative impact to these plants).
“…the problem with cyber warfare is the “false flag,” where countries responsible for cyber attacks will be able to plausibly deny responsibility or otherwise shift the blame to a rogue element.”
- Attribution challenges make kinetic responses highly susceptible to trickery / fraud.
The seriousness and sophistication of attack, motivation, and intent against organizations is palpable. The next few years equal sophistication must be applied to deterrence and management of information security.
Other thoughts, research, insights?
– James DeLuccia