Here is a YouTube interview with MythBusters Adam Savage talking about how they would not do an episode of MythBusters on RFID security because they (Discovery Channel) were intimidated by credit card companies legal teams.
I can certainly understand how credit card companies would freak out at this exposure. The MythBusters do a very thorough job of researching and testing "myths". It is certainly not a full scientific method, but anyone who watches them knows that they definitely present very compelling information.
I guess exposing information to the general public is simply not an acceptable practice if you are a credit card company. This is a shame, as I am sure it would have been a very interesting episode. I found this on Digg.com. Please go to the link to see the comments.
read more digg story
Saturday, August 30, 2008
Thursday, August 14, 2008
Who owns the liability? Scenario #1
Counterfeit drugs are currently a booming business. I am not going to go into detail about this, since a simple Google search will tell you all you want to know about the problem.
Pharmaceutical companies do not like counterfeit drugs making their way into the marketplace. Counterfeits cut into profits and make a drug company look bad. Pharmaceutical companies, however, are generally not liable for counterfeits making their way into the marketplace. If someone chooses to buy their heart medication over the internet and they get sugar pills that look like the real thing, and then die from using those pills, nobody can claim that the maker of the genuine drug is liable for this. If someone buys a counterfeit from a legitimate source (such as a genuine brick and mortar pharmacy), then the liability chain starts there, and a good investigation can probably trace the problem somewhere short of the company making the genuine drug. Once again, Big Pharma (my nickname for the pharmaceutical industry) is not liable.
Now we get to ePedigree, which is the huge initiative mandated by the Federal Government for all drug companies to implement a system to track and trace all drugs they produce. At least one of the goals of mandating ePedigree is to combat the enormous proliferation of counterfeit drugs. In essence, drug companies will have to put an identifier on the drugs they sell to insure that they can be traced all the way back to the manufacturing plant. If someone buys a counterfeit drug, the identifier will (ostensibly) not be present, and therefore the drug is a counterfeit. This is definitely an oversimplification of the ePedigree initiative, but the essence of what I am describing is valid.
One can imagine the enormous cost that Big Pharma must absorb in making this happen, not to mention everyone involved in the supply chain. In a word, this is an enormous headache to the entire industry. Counterfeits are definitely a problem, but the industry remains quite profitable despite the counterfeits on the market. It is difficult to ascertain the losses a company faces due to counterfeits, but they can determine the enormous cost of ePedigree, and the numbers simply do not look pretty. The bottom line is that Big Pharma is currently interested in implementing a system which is primarily low in cost. That is essentially the first reaction to any organization which is forced to comply.
So let me paint a scenario. Big Pharma is required to implement unique identifiers on their drugs. A drug counterfeiter makes a counterfeit copy of the identifier (such as an RFID tag), and attaches it to the bottle of counterfeit drugs. Someone buys the counterfeit drug over the Internet (the same counterfeit heart medicine I mentioned earlier) and dies from using the counterfeit. When checked for authenticity, the RFID tag shows that the drug was legitimate, and it is traced back to the source. Further investigation reveals that the tag itself was counterfeited. When asked about what security Big Pharma put in place to prevent this from happening, what will the answer be? Who owns the liability at this point?
Creating an insecure (i.e. clonable) ePedigree system introduces a method for a counterfeiter to introduce drugs which are deemed COMPLETELY VALID into the system. Nokia, for example, is currently implementing RFID readers into mobile phones. This could eventually make its way into the home, and someone who buys drugs over the Internet could "validate" their internet purchases. Pharmacies who receive counterfeit drugs with "valid" RFID tags would feel quite confident that the drugs are legitimate. After all, the ePedigree information says it is !
Several members of the RFID Security Alliance have, quite literally, met with Big Pharma and posed the issue of security in ePedigree, and the response has been less than promising. One company said they have absolutely no incentive to deal with security. Another said they will deal with security when it is a problem (this is ALWAYS a bad idea). Still others said they are not going to spend the money for security. These are all Fortune 10 companies. Big Pharma may deny this, but my sources are pretty darn good.
When faced with the question "Why didn't you make this more secure?", what is Big Pharma's answer going to be ?
Will they claim ignorance ?
Will they claim they are not liable ?
Tough questions...
Pharmaceutical companies do not like counterfeit drugs making their way into the marketplace. Counterfeits cut into profits and make a drug company look bad. Pharmaceutical companies, however, are generally not liable for counterfeits making their way into the marketplace. If someone chooses to buy their heart medication over the internet and they get sugar pills that look like the real thing, and then die from using those pills, nobody can claim that the maker of the genuine drug is liable for this. If someone buys a counterfeit from a legitimate source (such as a genuine brick and mortar pharmacy), then the liability chain starts there, and a good investigation can probably trace the problem somewhere short of the company making the genuine drug. Once again, Big Pharma (my nickname for the pharmaceutical industry) is not liable.
Now we get to ePedigree, which is the huge initiative mandated by the Federal Government for all drug companies to implement a system to track and trace all drugs they produce. At least one of the goals of mandating ePedigree is to combat the enormous proliferation of counterfeit drugs. In essence, drug companies will have to put an identifier on the drugs they sell to insure that they can be traced all the way back to the manufacturing plant. If someone buys a counterfeit drug, the identifier will (ostensibly) not be present, and therefore the drug is a counterfeit. This is definitely an oversimplification of the ePedigree initiative, but the essence of what I am describing is valid.
One can imagine the enormous cost that Big Pharma must absorb in making this happen, not to mention everyone involved in the supply chain. In a word, this is an enormous headache to the entire industry. Counterfeits are definitely a problem, but the industry remains quite profitable despite the counterfeits on the market. It is difficult to ascertain the losses a company faces due to counterfeits, but they can determine the enormous cost of ePedigree, and the numbers simply do not look pretty. The bottom line is that Big Pharma is currently interested in implementing a system which is primarily low in cost. That is essentially the first reaction to any organization which is forced to comply.
So let me paint a scenario. Big Pharma is required to implement unique identifiers on their drugs. A drug counterfeiter makes a counterfeit copy of the identifier (such as an RFID tag), and attaches it to the bottle of counterfeit drugs. Someone buys the counterfeit drug over the Internet (the same counterfeit heart medicine I mentioned earlier) and dies from using the counterfeit. When checked for authenticity, the RFID tag shows that the drug was legitimate, and it is traced back to the source. Further investigation reveals that the tag itself was counterfeited. When asked about what security Big Pharma put in place to prevent this from happening, what will the answer be? Who owns the liability at this point?
Creating an insecure (i.e. clonable) ePedigree system introduces a method for a counterfeiter to introduce drugs which are deemed COMPLETELY VALID into the system. Nokia, for example, is currently implementing RFID readers into mobile phones. This could eventually make its way into the home, and someone who buys drugs over the Internet could "validate" their internet purchases. Pharmacies who receive counterfeit drugs with "valid" RFID tags would feel quite confident that the drugs are legitimate. After all, the ePedigree information says it is !
Several members of the RFID Security Alliance have, quite literally, met with Big Pharma and posed the issue of security in ePedigree, and the response has been less than promising. One company said they have absolutely no incentive to deal with security. Another said they will deal with security when it is a problem (this is ALWAYS a bad idea). Still others said they are not going to spend the money for security. These are all Fortune 10 companies. Big Pharma may deny this, but my sources are pretty darn good.
When faced with the question "Why didn't you make this more secure?", what is Big Pharma's answer going to be ?
Will they claim ignorance ?
Will they claim they are not liable ?
Tough questions...
Friday, August 8, 2008
And the winner is....
Several years ago I recall seing a picture of a sign someone had posted on a bridge which read something like this:
Remember when you drive over this bridge that the company who built it was the lowest bidder.
Sort of makes you question the safety of the bridge, does it not?
At the Blackhat Conference this past week, several of the exploits generating quite a bit of stir involve attacks on automatic toll systems (which use completely non-secure RFID), as well as attacks on e-passports (also using non-secure RFID).
Security experts have discussed the vulnerabilities of these systems nearly to the point of exhaustion, only to be dismissed as theoretical possibilities.
An article posted at Techdirt.com discusses this latest Blackhat exploit , and the last sentence in the article asks "So why weren't these systems designed with better security in the first place?"...which brings us back to the bridge.
Sadly, I am willing to bet anyone that every one of the companies who implemented these systems were absolutely made aware that they had to consider the design of the security of the system, and absolutely either chose to ignore security, or failed to validate security if they did choose to implement it.
The lowest bidder can easily cut security out of the bid, because everyone else does.
Perhaps the makers of the toll systems and passports can sue the Blackhat hackers, like NXP tried to do to the students who published the Oyster Card exploit. I am sure their lawyers would love to collect some fees.
Remember when you drive over this bridge that the company who built it was the lowest bidder.
Sort of makes you question the safety of the bridge, does it not?
At the Blackhat Conference this past week, several of the exploits generating quite a bit of stir involve attacks on automatic toll systems (which use completely non-secure RFID), as well as attacks on e-passports (also using non-secure RFID).
Security experts have discussed the vulnerabilities of these systems nearly to the point of exhaustion, only to be dismissed as theoretical possibilities.
An article posted at Techdirt.com discusses this latest Blackhat exploit , and the last sentence in the article asks "So why weren't these systems designed with better security in the first place?"...which brings us back to the bridge.
Sadly, I am willing to bet anyone that every one of the companies who implemented these systems were absolutely made aware that they had to consider the design of the security of the system, and absolutely either chose to ignore security, or failed to validate security if they did choose to implement it.
The lowest bidder can easily cut security out of the bid, because everyone else does.
Perhaps the makers of the toll systems and passports can sue the Blackhat hackers, like NXP tried to do to the students who published the Oyster Card exploit. I am sure their lawyers would love to collect some fees.
Wednesday, August 6, 2008
Why Do They Choose To Ignore The Risk?
I was reading through some news items today, and ran across several stories asking why Freddie Mac chose to ignore advice from their risk management officers who were telling Freddie Mac CEO, Richard F. Syron, that the risky subprime loans they were backing were exposing them to huge risks (read the article here).
This reminded me of an article I recently penned. I am not sure it answers the question, but I think it makes a valid point:
Humans are generally well intentioned beings. We do not, however, begin life that way. Any of you who have children can certainly relate to this. A child is perhaps the most self centered being in the world. Children will fly into tantrums, hit, kick, bite, steal, and do whatever it takes to get what they both need and want. This is not because children are inherently evil. They simply do not know any other way to survive. When we attempt to teach our children how to do better it is no surprise that they do not welcome this gift of wisdom. After all, their method works to achieve the results they want, and changing gears is just too much work.
Some parents persevere in the endeavor to make their children understand the importance of being well mannered, sharing with others, and honesty. These parents are generally rewarded for their efforts in the long term, yet are often left biting their nails in frustration in the short term. It is, by any stretch of the imagination, no easy task, and many parents seek the assistance of others as they endeavor to stay the course in raising their children while attempting to avoid the pitfalls of frustration which so often force even the most determined to give in. We ask those we trust and love for assistance. We hire professionals into our homes to help us build better offspring. We send them off to schools to learn what they need to know to be all they can be. We buy books and study them, hoping to glean some insight on how to do better.
At times, however, we end up with children who don’t seem to reach maximum potential, and they grow into adults who struggle to make it in an often difficult world, and who frequently wreak havoc on a seemingly well designed sociological master plan. There is no need to expound on this; we all know what I am talking about. As Ayn Rand so eloquently illustrated in “Atlas Shrugged”, there are those that exploit and there are those that are exploited. Remarkably, the “exploiter” often begins life as the “exploited”. This is not always true, but it is true often enough to be noteworthy.
Why is it that we sometimes fail at this project? Volumes have been written with so many reasons and theories that it has created a multi-billion dollar industry for writers, doctors, psychologists, and the list goes on. Some suggest it may be diet. Others suggest it is the way we teach our children. Some feel it the music they listen to, the TV they watch, or the games they play. The way we raise our children changes with each generation, based on who is considered the expert of the day. One common thread which seems to remain intact, however, is perhaps the most valuable information of all. Parents who truly CARE about how they are raising their children seem to achieve success.
I need to stop for a moment and define what I mean by CARE. Truly caring about someone or something is, at its core, an unselfish act. It is about recognizing and setting aside personal gains, ego, fears, and barriers in order to focus on the achievement of an initiative which can stand as a testament to excellence. It is not about forcing your child to go to medical school so you can proudly boast to your friends associates that your child is a doctor. It is about doing what it takes to raise a child that can stand on his (her) own and proudly proclaim that all that he has become, whatever that may be, is in large part because you cared enough to guide him to find his passion and reach his maximum potential. To succeed at this, however, requires commitment and good judgment. The kind of commitment and judgment I am referring to is of the type that comes from careful introspective analysis in a non-egotistical manner. This is the type of commitment that considers the wisdom of others who have faced such challenges and have risen above them despite the obstacles they faced. This is the type of commitment which does not hand the task at hand over to someone else to do, while stepping back, only to lay blame on someone else when the outcome is not what was expected. This is the type of commitment and good judgment which is not afraid to question the judgment of others and raise the difficult questions, despite the fear associated with “rocking the boat” or questioning “common wisdom”. This is also the type of commitment and good judgment that leads to perhaps the most difficult task of all: The ability to admit when you have made a mistake and to change direction to fix the mistake and get back on track.
So what does this have to do with voting machines, our national mortgage crisis, and the current ePedigree solutions being proposed for ensuring authenticity of drugs from the global supply chain in the Pharmaceutical industry?
As we made the move into the modern age we live in, replete with technological marvels only a true Luddite would not embrace, we found ourselves with an ever-growing need to shed ourselves of many old ways. Voting on paper seemed to make no more sense than filling out withdrawal slips at a bank or writing checks at the grocery store. Sure, there are still those among us that embrace the old-fashioned way of performing these tasks. By and large, however, they are a dying breed. Paper-based voting systems required too much space, time, and money to tally the votes. It was clearly time to digitize the system. Voting machine companies and election committees from various states got together and began hammering out the details of the project, and the voting machines hit the ground running. Then disaster struck. Academics, reporters, and whitehat hackers discovered that the security of these systems was entirely inadequate for the purpose they were designed for. State election officials began decertifying these machines, and the court of public opinion pointed at the voting machine manufacturers and accused them of everything short of treason for their lack of attention to security. Being a security company, we decided it would be a good idea to study this situation and perhaps offer some assistance. As we discovered, the level of security of the voting machines was not a major concern for nearly all state certifying bodies at the time that these machines were first certified by the State. Some voting machine companies clearly understood what it would take to build a secure system, yet the requirements did not dictate a need for a secure system, and the voting machine companies couldn’t justify spending the money for security as it would make them uncompetitive.
Who is at fault here? Is it the election committee’s fault for not validating the security of the system? Is it the voting machine company’s fault for not insisting that the system had to be more secure and spending a little more money to make the security at least reasonable? Is it the fault of the American public for not seeing this coming? These are tough questions, but one question is easily answered: Who ended up paying for the failure? Yes, dear reader, we did.
Then there is the mortgage crisis we are all now quite familiar with. Almost everyone in the financial world knew of the enormous risks associated with sub-prime mortgages. Economists, academics, realtors, and simply sensible people tried to warn us of the dangers of what was happening in the market. Still, countless people continued to play this dangerous game, hoping to avoid being burned. Many people deluded themselves into believing those who characterized the experts that were warning us as “fear mongers” and “out of touch financially”. Hindsight is 20/20. We are paying the cost for this failure.
Now we come to the enormous ePedigree initiative. Counterfeit drugs are an enormous problem. Some estimates claim as much as 30% of drugs coming from some nations are counterfeit. Counterfeiting drugs has become a multi-billion dollar industry worldwide. Many operations which once dealt in illegal narcotics and other illegal drugs have turned to counterfeiting due to the enormity of the market and the relative ease with which those who deal in counterfeit drugs can operate (compared to those who produce illegal drugs). Clearly, something had to be done to combat this growing menace. The United States government, in cooperation with governments all over the world, decided to take action by requiring a pedigree for each and every drug produced and/or sold in the United States. By requiring a traceable pedigree for these drugs from producer to consumer, and every step along the way, in the event of a problem the point of breakdown could be detected, isolated and addressed. Initially, the rollout for this system was slated for 2010 (2009 for California), and has been pushed back to 2011. This is, without a doubt, a huge project with an enormous number of complexities involved in implementation. One of the first steps in this process that stakeholder have focused on is determining what technologies and methods would be employed to track these drugs. Will it be 2D barcodes, RFID, security chips, databases, auditing & legal resource? The list goes on. How will the information be shared? The complexity is staggering.
As a security expert, I thought it would be prudent to get involved in this process. Surely, I speculated, the organizations tasked with implementing such systems would be extremely interested in making sure that the security of the system was validated. I was perhaps a bit naïve in my zeal. Organizations involved in the Pharmaceutical manufacture and supply chain are clearly focused on compliance with a law which failure to comply with will lead to a complete inability to do business. I have witnessed a great deal of activity at the tactical level – putting together the components to comply with the law, but have yet to see any activity at the solution security level. The law simply does not call for validation of system security at any level that a counterfeiter could sidestep – these organizations are not allocating resources and mindshare to anything other than compliance. Hackers and perpetrators are much more determined, sophisticated, and resilient than government regulations around compliance. We all intuitively know this, yet where is the duty of Care to do something about it. Will this “Care” only emerge after enough people have died, or enough money has been wasted on a broken system, where people will be then be galvanized to be the hero and fix the problem, once the appropriate resources and attention has been allocated. What kind of “Caring” is this? Can a company afford to care if nobody else does?
So then I need to ask the same questions I asked earlier. Whose responsibility is it to validate the security of the system? Who is expected to CARE enough and demonstrate commitment and good judgment? Whose fault is it when the Pharmaceutical industry spends billions of dollars implementing a system that, if implemented without careful consideration of the security issues surrounding the deployment, is doomed to fail as did electronic voting systems and the mortgage markets? Only this time, people’s lives are directly at stake. Who is going to pay to implement the system, then pay to fix it when it fails, not to mention pay for the recourse to remedy wrongful deaths?
You and I will, of course.
So whose responsibility is it? Who will step up to the plate? Who can step up to the plate?
This reminded me of an article I recently penned. I am not sure it answers the question, but I think it makes a valid point:
The Relationship Between Parenting, Voting Machines, Mortgage Meltdowns, and Pharmaceutical ePedigree
Some parents persevere in the endeavor to make their children understand the importance of being well mannered, sharing with others, and honesty. These parents are generally rewarded for their efforts in the long term, yet are often left biting their nails in frustration in the short term. It is, by any stretch of the imagination, no easy task, and many parents seek the assistance of others as they endeavor to stay the course in raising their children while attempting to avoid the pitfalls of frustration which so often force even the most determined to give in. We ask those we trust and love for assistance. We hire professionals into our homes to help us build better offspring. We send them off to schools to learn what they need to know to be all they can be. We buy books and study them, hoping to glean some insight on how to do better.
At times, however, we end up with children who don’t seem to reach maximum potential, and they grow into adults who struggle to make it in an often difficult world, and who frequently wreak havoc on a seemingly well designed sociological master plan. There is no need to expound on this; we all know what I am talking about. As Ayn Rand so eloquently illustrated in “Atlas Shrugged”, there are those that exploit and there are those that are exploited. Remarkably, the “exploiter” often begins life as the “exploited”. This is not always true, but it is true often enough to be noteworthy.
Why is it that we sometimes fail at this project? Volumes have been written with so many reasons and theories that it has created a multi-billion dollar industry for writers, doctors, psychologists, and the list goes on. Some suggest it may be diet. Others suggest it is the way we teach our children. Some feel it the music they listen to, the TV they watch, or the games they play. The way we raise our children changes with each generation, based on who is considered the expert of the day. One common thread which seems to remain intact, however, is perhaps the most valuable information of all. Parents who truly CARE about how they are raising their children seem to achieve success.
I need to stop for a moment and define what I mean by CARE. Truly caring about someone or something is, at its core, an unselfish act. It is about recognizing and setting aside personal gains, ego, fears, and barriers in order to focus on the achievement of an initiative which can stand as a testament to excellence. It is not about forcing your child to go to medical school so you can proudly boast to your friends associates that your child is a doctor. It is about doing what it takes to raise a child that can stand on his (her) own and proudly proclaim that all that he has become, whatever that may be, is in large part because you cared enough to guide him to find his passion and reach his maximum potential. To succeed at this, however, requires commitment and good judgment. The kind of commitment and judgment I am referring to is of the type that comes from careful introspective analysis in a non-egotistical manner. This is the type of commitment that considers the wisdom of others who have faced such challenges and have risen above them despite the obstacles they faced. This is the type of commitment which does not hand the task at hand over to someone else to do, while stepping back, only to lay blame on someone else when the outcome is not what was expected. This is the type of commitment and good judgment which is not afraid to question the judgment of others and raise the difficult questions, despite the fear associated with “rocking the boat” or questioning “common wisdom”. This is also the type of commitment and good judgment that leads to perhaps the most difficult task of all: The ability to admit when you have made a mistake and to change direction to fix the mistake and get back on track.
So what does this have to do with voting machines, our national mortgage crisis, and the current ePedigree solutions being proposed for ensuring authenticity of drugs from the global supply chain in the Pharmaceutical industry?
As we made the move into the modern age we live in, replete with technological marvels only a true Luddite would not embrace, we found ourselves with an ever-growing need to shed ourselves of many old ways. Voting on paper seemed to make no more sense than filling out withdrawal slips at a bank or writing checks at the grocery store. Sure, there are still those among us that embrace the old-fashioned way of performing these tasks. By and large, however, they are a dying breed. Paper-based voting systems required too much space, time, and money to tally the votes. It was clearly time to digitize the system. Voting machine companies and election committees from various states got together and began hammering out the details of the project, and the voting machines hit the ground running. Then disaster struck. Academics, reporters, and whitehat hackers discovered that the security of these systems was entirely inadequate for the purpose they were designed for. State election officials began decertifying these machines, and the court of public opinion pointed at the voting machine manufacturers and accused them of everything short of treason for their lack of attention to security. Being a security company, we decided it would be a good idea to study this situation and perhaps offer some assistance. As we discovered, the level of security of the voting machines was not a major concern for nearly all state certifying bodies at the time that these machines were first certified by the State. Some voting machine companies clearly understood what it would take to build a secure system, yet the requirements did not dictate a need for a secure system, and the voting machine companies couldn’t justify spending the money for security as it would make them uncompetitive.
Who is at fault here? Is it the election committee’s fault for not validating the security of the system? Is it the voting machine company’s fault for not insisting that the system had to be more secure and spending a little more money to make the security at least reasonable? Is it the fault of the American public for not seeing this coming? These are tough questions, but one question is easily answered: Who ended up paying for the failure? Yes, dear reader, we did.
Then there is the mortgage crisis we are all now quite familiar with. Almost everyone in the financial world knew of the enormous risks associated with sub-prime mortgages. Economists, academics, realtors, and simply sensible people tried to warn us of the dangers of what was happening in the market. Still, countless people continued to play this dangerous game, hoping to avoid being burned. Many people deluded themselves into believing those who characterized the experts that were warning us as “fear mongers” and “out of touch financially”. Hindsight is 20/20. We are paying the cost for this failure.
Now we come to the enormous ePedigree initiative. Counterfeit drugs are an enormous problem. Some estimates claim as much as 30% of drugs coming from some nations are counterfeit. Counterfeiting drugs has become a multi-billion dollar industry worldwide. Many operations which once dealt in illegal narcotics and other illegal drugs have turned to counterfeiting due to the enormity of the market and the relative ease with which those who deal in counterfeit drugs can operate (compared to those who produce illegal drugs). Clearly, something had to be done to combat this growing menace. The United States government, in cooperation with governments all over the world, decided to take action by requiring a pedigree for each and every drug produced and/or sold in the United States. By requiring a traceable pedigree for these drugs from producer to consumer, and every step along the way, in the event of a problem the point of breakdown could be detected, isolated and addressed. Initially, the rollout for this system was slated for 2010 (2009 for California), and has been pushed back to 2011. This is, without a doubt, a huge project with an enormous number of complexities involved in implementation. One of the first steps in this process that stakeholder have focused on is determining what technologies and methods would be employed to track these drugs. Will it be 2D barcodes, RFID, security chips, databases, auditing & legal resource? The list goes on. How will the information be shared? The complexity is staggering.
As a security expert, I thought it would be prudent to get involved in this process. Surely, I speculated, the organizations tasked with implementing such systems would be extremely interested in making sure that the security of the system was validated. I was perhaps a bit naïve in my zeal. Organizations involved in the Pharmaceutical manufacture and supply chain are clearly focused on compliance with a law which failure to comply with will lead to a complete inability to do business. I have witnessed a great deal of activity at the tactical level – putting together the components to comply with the law, but have yet to see any activity at the solution security level. The law simply does not call for validation of system security at any level that a counterfeiter could sidestep – these organizations are not allocating resources and mindshare to anything other than compliance. Hackers and perpetrators are much more determined, sophisticated, and resilient than government regulations around compliance. We all intuitively know this, yet where is the duty of Care to do something about it. Will this “Care” only emerge after enough people have died, or enough money has been wasted on a broken system, where people will be then be galvanized to be the hero and fix the problem, once the appropriate resources and attention has been allocated. What kind of “Caring” is this? Can a company afford to care if nobody else does?
So then I need to ask the same questions I asked earlier. Whose responsibility is it to validate the security of the system? Who is expected to CARE enough and demonstrate commitment and good judgment? Whose fault is it when the Pharmaceutical industry spends billions of dollars implementing a system that, if implemented without careful consideration of the security issues surrounding the deployment, is doomed to fail as did electronic voting systems and the mortgage markets? Only this time, people’s lives are directly at stake. Who is going to pay to implement the system, then pay to fix it when it fails, not to mention pay for the recourse to remedy wrongful deaths?
You and I will, of course.
So whose responsibility is it? Who will step up to the plate? Who can step up to the plate?
Karsten Nohl Discusses RFID Insecurities
Karsten Nohl, the security researcher who was part of a team that broke the crypto algorithm in the Mifare Classic RFID-based smart card, talks about his upcoming briefing at Black Hat in Las Vegas in an interview with Security Wire Weekly called Wireless Insecurities.
Nohl, a University of Virgina graduate student, has been active with the RFID Security Alliance and presented a threat model for Mifare at our May meeting. Hear his interview at http://securitywireweekly.blogs.techtarget.com/2008/08/01/sww-wireless-insecurities/
Nohl, a University of Virgina graduate student, has been active with the RFID Security Alliance and presented a threat model for Mifare at our May meeting. Hear his interview at http://securitywireweekly.blogs.techtarget.com/2008/08/01/sww-wireless-insecurities/
Monday, August 4, 2008
RFIDSA Presenting at RFID World on September 9.
Members of the RFID Security Alliance are presenting at RFID World. The presentation is called "RFID Security Should Not be an Afterthought." If you are going to be in Las Vegas for this event, you are invited to attend the session.
Date/Time: Tuesday, September 9, 2008, 1:00pm — 1:50pm
Description: RFID technology offers great benefits - supply chain solutions, for example, provide unprecedented visibility and increased efficiency. However, the technology also introduces a number of new business risks, among them:
-Fraud and error as a result of tag data manipulation
-Cloning of tags
-Malware and viruses stored on tags
-Hacker attacks at the point of sale, cyber shoplifting
-Interruption of business continuity as a result of attacks against IT infrastructure (readers, edge servers, backend systems)
To fully enjoy the benefits of RFID, these risks need to be addressed adequately. A holistic approach is required analyzing a RFID system end-to-end to identify potential threats and their business impact.. Members of the RFID Security Alliance will discuss strategies to minimize or mitigate these risks and how to comply with industry regulations and governing law (e.g. SOX, FDA). The discussion starts with a short presentation by Lukas Grunwald (NeoCatena).
More information about RFID World is at http://www.cmpegevents.com/web/rfid/home
Date/Time: Tuesday, September 9, 2008, 1:00pm — 1:50pm
Description: RFID technology offers great benefits - supply chain solutions, for example, provide unprecedented visibility and increased efficiency. However, the technology also introduces a number of new business risks, among them:
-Fraud and error as a result of tag data manipulation
-Cloning of tags
-Malware and viruses stored on tags
-Hacker attacks at the point of sale, cyber shoplifting
-Interruption of business continuity as a result of attacks against IT infrastructure (readers, edge servers, backend systems)
To fully enjoy the benefits of RFID, these risks need to be addressed adequately. A holistic approach is required analyzing a RFID system end-to-end to identify potential threats and their business impact.. Members of the RFID Security Alliance will discuss strategies to minimize or mitigate these risks and how to comply with industry regulations and governing law (e.g. SOX, FDA). The discussion starts with a short presentation by Lukas Grunwald (NeoCatena).
More information about RFID World is at http://www.cmpegevents.com/web/rfid/home
Subscribe to:
Posts (Atom)