Home > TechNews > Disregard for Security in Security Products – continued

Disregard for Security in Security Products – continued

At the RSA show it is not uncommon to bump into a hacker.  But when four or five of them are huddled together you know some really cool or really scary has their attention.  In this case it was a little invention by IOActive.  The Seattle company is well known for the superstar lineup in its advisory board and management team.  This is one of the few firms officially invited to test the Microsoft Vista operating system code before release. 

The fellow grabbing the attention was a colorful geek with an HID reader and card.  He was showing off his small gizmo that could copy and clone an HID card in 20 seconds.  Serious, if he gets his hands on your HID access card for 20 seconds, you can be sure hell be able to get through the door posing as you.

The some guys were talking animatedly about how to crack this physical access control system, and that surveillance DVR. 

Stay tuned for more reports from the RSA security show in San Francisco this week.

Categories: TechNews
  1. LaurisF
    February 7, 2007 at 1:24 pm

    He would not be the first person to develop a tool to clone a prox technology access card. It has been known for awhile that certain students from a certain distinguished institute of higher education have done the same without the need to have possession of the card.
    Good security designers take into consideration that reliance on one feature or aspect of security is like putting all your eggs in one basket. If the portal security is important enough, there can be multi-factoral identity verification concepts in play where the card is not the only item needed to gain access.
    Good security programs presume that this can and does happen.

  2. February 11, 2007 at 12:50 pm

    That’s not the point Lauris. The point is that if the hacker community “discovers” physical security systems, they will not stop at simple RFID cards. They’ll hit controllers, alarm panels, cameras, management software, etc.

  3. LaurisF
    February 15, 2007 at 9:03 am

    Steve, again they have already accomplished hitting these on at least one system. Once security systems left the relative “security” of closed networks, it has been a fast paced race to build protection against the hackers that live in the public networks. Today’s security will not prevent tomorrow’s attack scenario. We can only protect against what we know.

  4. OsamaS
    February 25, 2007 at 7:35 pm

    LaurisF says: “Today’s security will not prevent tomorrow’s attack scenario. We can only protect against what we know.”
    There is some (or a lot) of truth to this statement. Yes, there is no such thing as absolute security, however I do believe that if systems are implemented from the startup with security in mind they will be able to protect against many of tomorrow’s threats.
    I’m talking here about basics principles like “default deny”, defense in depth, least privilege, zoning etc.
    I think LaurisF means “Security Technologies” when he says “Today’s security”.
    Then there is always the issue that security technologies themselves can introduce risks, like AV software with bad signatures that delete legitimate files, security products with buffer overflow vulnerabilities etc.
    To put it more optimistic, today’s security principles can prevent many of tomorrows attack scenarios.

  5. February 26, 2007 at 7:22 am

    Lauris, I’m more inclined to what Osama says. You sound like you are throwing in the towel. (I’m sure you aren’t, but you sound that way). Like you assume the bad guys will stay one step ahead, so what can we do? Osama on the other hand says let’s use the best priciples of preparation, detection, response and remediation to battle the unknown. Bring it on, bad guys! right?

  6. Robert Becker
    September 12, 2011 at 1:17 am

    To All,
    I am at a University that utilizes HID cards and well… I’ve been here for 2 weeks and 1 day and tomorrow I have to go get my third card. If someone could help me out with a way around the swipe card I would really appreciate not randomly getting locked out of my room for no apparent reason.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: