SecurityFocus HOME News: 'Thiefproof' car key cracked: "
'Thiefproof' car key cracked
By John Leyden, The Register Jan 31 2005 8:33AM
Researchers have discovered cryptographic vulnerabilities in the RFID technology used in high-security car keys and petrol pump payment systems. The attack against Texas Instruments DST tags used in vehicle immobilisers and ExxonMobil's SpeedPass system was identified by experts at Johns Hopkins University and RSA Laboratories. "
Security through obscurity really is neither.... -Bryan
Monday, January 31, 2005
Monday, January 24, 2005
Matt Blaze's Technical Papers - Safecracking and Physical Locks - AT&T Labs -- Research
Technical Papers: "Physical Security
Cryptologic techniques can be applied outside of computers and networks, Perhaps surprisingly, the abstractions used in analyzing secure computing and communications systems turn out also to be useful for understanding mechnical locks and their keyspaces. Indeed, modeling master keyed locks as online authentication oracles leads directly to efficient solutions for what might naively seem like exponential problems for the attacker. In fact, it seems like almost a textbook example, as if master keying practices for locks were designed specifically to illustrate this class of weakness. We sometimes assume that hardware-based security is inherently superior to that based in software, but even the humble mechanical lock can be just as insecure as complex computing systems, and can fail in similar ways."
Matt's Master-Keyed Lock Vulnerability article is here
And Matt's safecracking PDF is here
Since information security and risk reduction invariably relies on physical security, it is time that infosec pushes the envelope on mandating physical security that is not based an illusion of security, but on provable security. That tape library with millions worth of intellectual property and trade secrets is sitting in a "Safe" somewhere right? Is that really safe? Probably in name only. As a great mind or two have concluded over the centuries: "security through obscurity is neither..."
-Bryan
Cryptologic techniques can be applied outside of computers and networks, Perhaps surprisingly, the abstractions used in analyzing secure computing and communications systems turn out also to be useful for understanding mechnical locks and their keyspaces. Indeed, modeling master keyed locks as online authentication oracles leads directly to efficient solutions for what might naively seem like exponential problems for the attacker. In fact, it seems like almost a textbook example, as if master keying practices for locks were designed specifically to illustrate this class of weakness. We sometimes assume that hardware-based security is inherently superior to that based in software, but even the humble mechanical lock can be just as insecure as complex computing systems, and can fail in similar ways."
Matt's Master-Keyed Lock Vulnerability article is here
And Matt's safecracking PDF is here
Since information security and risk reduction invariably relies on physical security, it is time that infosec pushes the envelope on mandating physical security that is not based an illusion of security, but on provable security. That tape library with millions worth of intellectual property and trade secrets is sitting in a "Safe" somewhere right? Is that really safe? Probably in name only. As a great mind or two have concluded over the centuries: "security through obscurity is neither..."
-Bryan
Onion Routing
Onion Routing: "Onion Routing
The Onion Routing project researches, designs, builds, and analyzes anonymous communications systems. The focus is on systems for Internet-based connections that resist traffic analysis, eavesdropping, and other attacks both by outsiders (e.g. Internet routers) and insiders (Onion Routers themselves). Onion Routing prevents the transport medium from knowing who is communicating with whom -- the network knows only that communication is taking place. In addition, the content of the communication is hidden from eavesdroppers up to the point where the traffic leaves the OR network."
Been playing around with this since a friend pointed me back to it the other day (thanks Joel). A must use for browsing around sites that you may not want to know your identity. Will setup a hardened and malware resistant tor server here soon.
And since I don't want my tor server to be used to anonymously hack other systems, ingress/egress layer-7 screening will be used even if it upsets the cyber-anarchists out there.
-Bryan
The Onion Routing project researches, designs, builds, and analyzes anonymous communications systems. The focus is on systems for Internet-based connections that resist traffic analysis, eavesdropping, and other attacks both by outsiders (e.g. Internet routers) and insiders (Onion Routers themselves). Onion Routing prevents the transport medium from knowing who is communicating with whom -- the network knows only that communication is taking place. In addition, the content of the communication is hidden from eavesdroppers up to the point where the traffic leaves the OR network."
Been playing around with this since a friend pointed me back to it the other day (thanks Joel). A must use for browsing around sites that you may not want to know your identity. Will setup a hardened and malware resistant tor server here soon.
And since I don't want my tor server to be used to anonymously hack other systems, ingress/egress layer-7 screening will be used even if it upsets the cyber-anarchists out there.
-Bryan
Sunday, January 23, 2005
On the discussion of security vulnerabilities
On the discussion of security vulnerabilities: "Is it harmful to discuss security vulnerabilities?
The debate over the open discussion of security vulnerabilities long predates the Internet and computers. The recent reaction of some locksmiths to my master keying research paper heightened my interest in this subject. Here's what one of the 19th century's foremost inventors of mechanical locks had to say 150 years ago:"
The debate over the open discussion of security vulnerabilities long predates the Internet and computers. The recent reaction of some locksmiths to my master keying research paper heightened my interest in this subject. Here's what one of the 19th century's foremost inventors of mechanical locks had to say 150 years ago:"
Tuesday, January 18, 2005
Subscribe to:
Posts (Atom)