Branden Williams' Security Convergence Blog

It's been a great 2.5 years for me at VeriSign, but on Friday the 29th I am moving on to bigger, though not necessarily better, things. I have enjoyed the conversations that spun from this experiment of mine into the blogosphere, and I look forward to making another foray this way again, someday.

I believe we are going to bring another thought leader in VeriSign forward to blog in this space, but I do not know details or context yet, so this may not be true. All I can say is check back, and don't forget your towel.

Peace,
Jeff

Posted by Jeff Pettorino at 04:00 PM | Permalink

Ok, so everyone has heard about RFID (pronounced Are Eff Eye Dee by some, "arf-id" by others) by now. We've all used it, guaranteed to five 9's of percentage likelihood. (Don't believe me? Ever bought anything? At Target, Wal-Mart, or almost any other retailer?) Many agencies and corporations use it for their campus access, at least for building perimeters in the form of an ID Badge that let's you in a door when you swipe the badge over a reader.

It turns out that Joshua Perrymon of PacketFocus Security Solutions has confirmed that many RFID vendors are vulnerable to...get this...SQL Injection from a tag that has been encoded with the specifics of the attack. From the Dark Reading article (the only source of info I can find at the moment), neither the badge readers nor the back end systems do any input validation, so a specially crafted data stream from the card can cause the device to receive a valid reply.

Ok, I have a big huge problem with this. SQL Injection? Come on folks. We've been aware of and responding to this threat for several years now. Gary McGraw and John Viega talked about these things six years ago in Building Secure Software. Web scanning companies are building entire products on just this sort of exploit. We preach secure application development all the time. How in the world can our physical security applications be vulnerable to this?

Thanks to Josh for the work into releasing the initial info, and we are all looking forward to further disclosure on the problem, the fix, and how to go about finding and closing similar exploits.

Posted by Jeff Pettorino at 12:14 PM | Permalink

I saw a flurry of discussion on /. a week or two back about some Canadian (and American) home security companies having issues with clients who use a commercial VoIP solution, like Vonage. Apparently the systems are problematic or incompatible.

Well, no duh. VoIP is not the same as POTS when it comes to telephony service. Archaic as it may seem, some of us get quite nostalgic over the memory of a big, heavy, clunky off-skin-tone-beige phone with the large wire running from the case (no RJ-11 jacks you youngsters...the cable ran up inside the casing like some sort of techno-primordial vestigial tail). And when the electron dance of currents and frequencies was just in that particular state of perfection, the magic of zinc plated bells struck by steel hammers rang out with a brash **RINGGGGGG**. Ah, the good old days.

Continue reading "VoIP woe's - Why alarm systems need a POTS line" »

Posted by Jeff Pettorino at 03:44 PM | Permalink

Pay Pal Security enhancements.

Californians not as excitable as Bostonians

Albert Einstein: Theoretical Physicist, Genius, and...tea leaf reader?!?

Enjoy your weekend.

Posted by Jeff Pettorino at 02:00 PM | Permalink

Now, before you jump on board, let me warn you; in iTunes podcast listing, it has an [EXPLICIT] tag. The show is 4 to 5 security practitioners, working in the industry and all CISSP certified. This could be qualified as "the working mans (IT) security podcast".Ok, this is like a hands-on infosec practitioners bullsession show. They talk about subjects in the news or relevant to them, sometimes objectively but often subjectively too. They are all obviously experienced in the industry to one degree or another, and have perspectives and opinions on a variety of things...sometimes STRANGE opinions, but valid none-the-less. This is their podcast not endorsed by their employers, so they do cut loose sometimes and the language can be coarse occasionally.

So, this is a great place to hear about security and technology things as seen be people in the industry today, making decisions, providing guidance to clients, and making a difference. They sound like my kind of guys. Lot's of great stuff ranging everywhere from rights and expectations of individual privacy in the workplace to keys and physical locking mechanisms to the occasional product review. Good stuff, they are trying, and they need the digg's and listeners. If you can get by the occasional F-bomb, this show is worth the time.

SecThis.com

Posted by Jeff Pettorino at 08:01 PM | Permalink

I've posted about this before, elsewhere, and the point I make hasn't changed. Federated Identity, Single Sign On, converged access control...these are all great concepts, and ones that I hope can come to be ubiquitous someday, while preserving many peoples expectations of privacy. What you see in this image is the current state of things.

No less than 8 authentication systems are represented (and that doesn't include the PasswordSafe db holding complex passwords.) 2 to the power of 3. Multiple factors of multi-factor. I probably should have laid my car keys on the desk as well to show the remote door-lock system on the key-fob as well as the expensive and potentially unnecessary RFID enabled ignition key.

So why so many systems? Being a consultant, I do work for many of our clients. Work that often requires I go onsite, access their facilities, networks and systems, and perform tasks or analyze their infrastructure. In some cases, I do so without obvious and overt permission (these are the Social Engineering gigs, which I regrettably don't get to do enough of...VERY fun), but instead have been charged by the client to see what I can learn by lying, preying on human behavior, and exploiting human weaknesses. In most cases, though, I am expected and welcomed at the front door, given temporary credentials and expected to deliver. Most of our clients don't integrate back into our infrastructure, nor do we reach into theirs to extend our domain of identity management. This means that, with nearly every new contract I can expect some new form of authentication token...be it a badge, sticker with my name and picture, network account, etc. And a lot of effort goes into managing both the credentials themselves (Authentication) and the access control associated with the credentials (Authorization.) Pay attention you Security+ candidates! This is important stuff you need to be familiar with!

So how can we minimize these duplicated efforts? There is no silver bullet, but we can start to make progress by using open methods of authentication. If you've looked into VeriSign Unified Authentication or maybe other authentication products and services you've (hopefully) heard of OATH. There are a lot of federated solutions out there, some of them are even good ones. I'm not selling product here, although I do think VeriSign Unified Authentication is a pretty good one. The point is that historically, open systems tend to be more secure than closed ones; "Many hands make light work" and all that, or "many eyes make better code" as the Open Source community would say. Closed systems provide security through obscurity which is not really any security at all.

When shopping for a new identity management system, I'd look for one that can support a wide variety of auth mechanisms, including proximity cards, smart cards of various flavors, OTP, etc. They are out there, and the benefit for a converged security posture can be significant.

Posted by Jeff Pettorino at 11:00 PM | Permalink

I noticed on Amazon today that Syngress has released a new book about Security Convergence. I'll probably write a short review when I've completed it, but here's a link for those who can't wait:

Physical and Logical Security Convergence: Powered by Enterprise Security Management (Paperback)
by Brian T Contos, Steve Hunt, Colby Derodeff
Paperback: 448 pages
Publisher: Syngress Publishing (January 1, 2007)
Language: English
ISBN-10: 1597491225
ISBN-13: 978-1597491228
List Price: $59.95
Amazon Price: $37.77 (as of this writing)

Posted by Jeff Pettorino at 12:55 PM | Permalink

Posted by Jeff Pettorino at 10:53 AM | Permalink

This first decade of the 21st century has seen a lot of change for most Americans. Our beliefs about security, freedom, privacy, and justice have almost certainly been affected to some degree. A growing voice of criticism has arisen around how governments have responded to the changes of the last 7 years, punctuated by 9-11-2001; in fact it has become vogue to criticize endeavors to increase security if they aren't totally passive and non-invasive or perfectly successful in every way.

The phrase "Security Theater" is commonly used to describe many of the efforts undertaken in response to threats (real or perceived); it refers to things that try to make us feel more secure, but provide little or no increase in actual security. It is the modern day equivalent of the cardboard cutout of a police officer that one puts behind the counter of a convenience store after hours.

Continue reading "What is 'Security Theater'" »

Posted by Jeff Pettorino at 12:00 PM | Permalink

TechNewsWorld has an article discussing Security Convergence written by David Ting, founder and CTO of Imprivata. It's a good overview of how physical and IT access controls can be merged and leveraged.

Posted by Jeff Pettorino at 08:46 AM | Permalink

Enterprise Security Today article

IBM Corp. hopes to capitalize on the enormous growth in video surveillance by selling technology from its research labs that performs real-time analysis on footage captured by security cameras in stores and sensitive locales.

Posted by Jeff Pettorino at 11:30 AM | Permalink

One of the leading truths about systems security (relating specifically to computers, network equipment, etc.) is that if you have physical access to the box you are trying to attack/hack/infect/subvert then you win. It's not a matter of IF you can access, but how quickly. If you can't physically secure the system from unauthorized parties, it is (or should be considered) unsecured in any manner.

It looks like the election commissions in New Jersey doesn't know this lesson, yet. I can imagine they are used to having equipment delivered before the election, to help facilitate quicker set up on election day (all the fancy little booth/table things, registration tables, etc.) But when the equipment is digital voting machines (aka computers) that the integrity of the entire digital voting process is based upon, then they should be considered sensitive and require security measures.

Now maybe I don't have the whole story; perhaps these systems don't have any hard drives, ROM memory, etc. Maybe they are non-functional shells, and the "important bits" get installed on the morning of election day. However, if I lived in New Jersey I'd be a little concerned.

Posted by Jeff Pettorino at 05:39 PM | Permalink

Welcome to the Security Convergence web log. Why security convergence? Well, before I get into the "why" I think it's important that we discuss the "what". Specifically, I mean the "What is 'security convergence', anyway?"

I am glad you asked...

Continue reading "Definition: Security Convergence" »

Posted by Jeff Pettorino at 04:23 PM | Permalink