Sunday, March 23, 2008

All it takes is time...

Here's the situation: Henryk and Karsten are sitting around drinking beer and one turns to the other and says, "hey since we aren't doing anything let's take a powerful microscope and take apart the MiFare RFID chip." (this is complete fiction - well the beer drinking part - I wasn't there they could have been drinking wine for all I know.)

Compterworld has an article discussing the MiFare RFID tag hack. A RFID tag used by "Millions upon millions of MiFare Classic chips are used worldwide in contexts such as payment cards for public transportation networks throughout Asia, Europe and the U.S. and in building-access passes."

Hypothesis: "Hmm wonder how these MiFare RFID things work?"
Process: Take them apart
New Hypothesis: "You think there are any vulnerabilities in this thing?"
Process: Holy crap these things are as secure as my credit card data at the grocery store.

What I really want to point out here is that given time it can be broken. I have heard on multiple times from Vednors, Programmers, Engineers - our "insert name" can't be hacked, broken or abused for nefarious purposes.

Well boys and girls (equal opportunity) you are wrong!

Lesson to take away from this. Don't rest on your laurels (I am in Athens, Greece - seemed like a good phrase). Keep innovating - while today it looks like it can't be broken, tomorrow some kid might try to put it in the microwave.

Introducing: Were I taking this seriously...

So in an effort to separate the wheat from the chaff I decided to spin off my InfoSec thoughts from my wanderings and exploration of the world.

My initial plan for this little corner of writing will be for me to discuss things about Information Security that crop up on a daily basis. Let's say this is going to be about "iron sharpening iron."

I am also planning on using this space to dump bits and pieces of wisdom I might learn along the way to being the best InfoSec manager in the world (this is humor - I am sure I will provide more than enough reasons to flame as this goes along. Please learn to see my sarcasm before we get to far into things.)

I am not a super h@x0r - I have never claimed to be. I am not a Bruce Schiener or a Richard Bejtlich, or even a Dan Kaminsky (although I do work with him).

I am a former network engineer who always had a belief that security should be included in everything you built. I blame this on my own misspent youth. My father watched me blow my eyebrows off more than once doing stupid things. After awhile of doing destructive things that might hurt you, suddenly security (protection of self) became important.

I started college as a Sociology Major (people are interesting) - then changed to Mechanical Engineering (I am going to build robots) - a quick stint in Biology: Marine Biology (I read Lilly - one of his pals was Timothy Leary). I had a car accident and things changed - I ended up in Computer Science and did well. I had a computer from the age of 9 on so it made some sense (thanks to mom and dad on that one).

I enjoyed computers - introduced some neat ideas to the use of computers and biology at my university (if I had known that there would be a field to spring up years later called BioInformatics I might have stayed in that) and then bounced to Colorado to be a ski bum.

My diverse course of study has provided me with different ways of looking at things. Those in the security industry realize that having alternate viewpoints will help you figure out where the next bad thing is coming from.

As a side, there was a post in the last month about the way InfoSec people think. Is it learned or is it innate knowledge? See Bruce's thoughts at link. You can see one rebuttal at link.

Sorry Bruce - I am going to lean towards the learned ability. Proper scientific method at use here:

1) Define the question (how would i break this web application? steal this car? compromise this RFID tag?)
2) Gather information and resources (Google, Secunia, milw0rm, RFID)
3) Form Hypothesis (hmm if I add a ' there will things go awry?)
4) Perform experiment and collect data (well look at that - the database just dumped)
5) Analyze data (oh looks like someone has been keeping credit card data)
6) Interpret data and draw conclusions that serve as starting point for next hypothesis (does everyone using Joomla have Remote File Inclusion Vulnerabilities?)
7) Publish results (Google, Secunia, milw0rm, RFID)
8) Retest (here come the script kiddies)

So while I might agree that InfoSec people are a little different (if you don't agree you have missed oh every Defcon since the dawn of time) - I am not going to agree that they go at things differently than the next guy. InfoSec professionals just come up with better hypothesis to test.

Well that's enough for a solid introduction. I will be adding more as I go along. Here's a brief snippit of where I will be over the next couple of weeks:

"Next I am in Amsterdam all week for Blackhat Europe. The first couple of days I will be in class learning Reverse Engineering: Application in Malicious Code Analysis. I am really looking forward to the class. It should be interesting and allow me to be more successful in my on reverse engineering assignments. I wrap that up and zip back to the States on the 29th.

I will be in Seattle for a week (time to practice being a manager) then I am off to San Francisco for RSA. There I will get to practice my new Director skills as I begin the process of moving IOActive forward in their information security offerings (glamorous words for me being a sales guy for a week). I will also be there as a technical resource to help the real sales people discuss what we can do as a resource for an organization. I am really excited about this. I have begun to make some new contacts and I am really looking forward to increasing the range of discussions and add my own input to the security community.

After that long week I will be back in Seattle reviewing what I learned at RSA and preparing for a trip back to Germany. If you don't follow me on Dopplr let me know and I will add you. My travel schedule is crazy...."

Hope to meet you and see your comments in the future.