Thursday, March 29, 2007

Spring has sprung, the grass has riz, I wonder where the RFID ...

I recently got a new ePassport with an RFID chip installed. I would have gotten a legacy passport sooner had I been actively following Ireland's rollout schedule for ePassports. As I only provided the minimum amount of information e.g. old passport, photos and basic identity information, I am not currently deeply worried, however the potential to:

a) read my information
b) write new information
c) clone my identity
d) at some future time add more biometric information
e) remotely fingerprint the passport nationality

led me to re-read some work being carried out on RFID security and the encryption algorithms and key material being used or not used as the case may be. The term PKI ( Public Key Infrastructure ) has been bandied about, however who owns and controls the root key(s) and how is the local key derived. What is the key strength, who owns or controls them? Can I read my own info? How secure is their BAC ( Basic Access Control ), not very it seems? Issues abound in passports, credit cards and building or system access cards whereby proximity readers are employed.

Right now I would like to disable the chip completely, but I believe this to be a crime. Maybe I can coax it to gently fail? What is the MTBF ( Mean Time Between Failures ) for the RFID chips in Irish passports? The UK ones seem to be fairly short.

Passports cloned at BlackHat :

Bruce Shneier commentary

Tools and Information from RFIdiot

Electronic Frontier Foundation

RFID Security and Privacy Also, 1G Vulnerabilities in Credit Cards

Potential misuse via a targetted IED ( Improvised Explosive Device )

Paper on RFID card security :

Basic countermeasures !
( Thinking about reducing skimming attempts through shielding! )

Tuesday, March 13, 2007

The Elves and the Shoemaker ( Part 1 )

Q. When is your reality not your reality?
A. When it's somebody else's?

So excuse the existentialism for a moment and permit me if you will, to step back from the issue to elaborate more clearly my opinion of the forces at work at a deeper level. At no time in history has the rate of change, the terms of reference and the paradigms been so extraordinarily different as they are currently, especially for knowledge based/information economies, or other businesses and organisations that rely upon or use Information Technology.

As William Gibson said, "the future is already here , it's just unevenly distributed".

For some this creates an exciting, ever-changing, ever-learning environment in which one can in some ways actively contribute and watch the future unfold in 'realtime' like never before. In no other discipline (I use the term 'discipline' lightly ...) is this rate of change as pronounced as it is in Information Security/Protection/Assurance ... where one must be constantly abreast of new technologies and engaged in a never-ending cyber arms race in an effort to help defend an organisation's assets from malicious attack or unintended breaches in data and service integrity, confidentiality or availability. A mammoth task even in smaller organisations.

EDS may have tried to herd cats, but we in Infosec try to repel alien invasions, uncover national conspiracies, protect and serve, and offer matrix style A-team vigilantism served up with a side order of business acumen and a portion of savoir faire. Fun until you realise your noble pursuit of protecting the weak and innocent, fighting the forces of evil and saving the world from itself isn't necessarily shared by all elves. Funny that ... the naivety in thinking that there were no lazy, apathetic IT elves ... the realisation that all the IT elves must do their work to a certain level of quality and assurance for your work to even begin to be worthwhile, measurable, or at least have the other elves believe you when you tell them of the 'dark magic' that counteracts the good elven magic they are so used to (this of course without demonstrating 'dark magic' on production or development systems as we meanwhile wait for the 'dark elves' to try all manner of 'dark magic' until they install 'dark doors' that are practically untraceable ...)

For many in business, even in IT itself, it is easier to allow the elves to get on with their daily magic and then work with the ensuing results, embracing without question the supposed increases in productivity and efficiency.

Most beings work on a macro layer and let the elves create and dabble in even more elven magic to ensure the lower level elves and base magics behave themselves. What we don't know can't and shouldn't hurt us right?

Let's take an administrator, management entity or executive in the Grimm Brothers Ltd. shoe business as a potential test subject. They are constantly worried about profit, share value, productivity and efficiency (as they might be in any business). They don't actually need to fully grasp how the increases in output and efficiency are achieved by the latest and greatest elves and magic, just that they work and work well. Unfortunately conveying and measuring the potential pitfalls and complexity of using this magic is extremely hard to explain to anyone who doesn't have a grasp of the most basic and rudimentary tenets of elven magic. Problems are compounded by the outsourcing of elven work to other cheaper elven lands, or insisting upon the use of increasingly complex and esoteric elven magic - without keeping some local elves in reserve to do quality assurance, vendor management or governance. Somehow all elves should be trusted with all magic and unfortunately unmanageable and unmeasurable SLA's (Service Level Agreements) cannot and do not incur penalties. Increasingly and understandably management want to connect their business directly to 'other' realms in the hope of increased sales and access to more B2E (Business-to-Elf) services ...

Unfortunately these realms also contain both good and bad elves, dark magic ... and all number of mythical and mysterious self replicating evil beasties and other magical creatures.

One mis-spoken elven incantation (depending upon the situation and circumstance) can cause terrible horrors and cripple a shoe business, reducing them back to cobblers. Rumour has it that a certain shoe business continued to make a full month's worth of shoes in the wrong realm without anyone noticing, while the offending bad elf pocketed the money and sold the incantation to other bad elves to use on other similarly connected shoe businesses for fun and profit.

In what I will call 'standard industries', people, resources, inputs/outputs, and the processes in between have, for centuries, been producing products and services with ever more efficient physical world means. Problems were addressed with mainly conventional wisdom and experience was garnered slowly but surely. Information's potential for utility was dictated by its storage, processing, quantity and speed of access. There was time to learn and slowly adapt to changing markets and conditions. Knowledge was passed on and people generally knew what was going on (or at least you could look under the hood and somewhat infer the mechanism and physics of the system). There was no need for knowledge of the other 'realms' or of extra sneaky elven escapades. In fact way back then there were no elves and no magic!

I think society is now approaching the Shoe Event Horizon?

Hopefully this goes some way to highlighting the levels of abstraction, complexity and lack of care in use of even the most basic elven magic ... the fact that elven magic is almost ubiquitous in every aspect of modern society and becoming even more so, should be a warning flag of sorts. I am still a little iffy on how my fridge works ... thermodynamics and all that, but I'm damned sure no other realm's dark elven magic will leak in through my freezer box, monitor me and empty my online bank account.

a) Forest from the trees: Micro vs Macro

Where do IT Security managers/analysts/admins really sit in the hierarchy of the business? Are they perceived as generating value or just scaremongering? Do they actually understand the business themselves? How many cowboys are there currently in this business and do these professionals still have an active foot in the 'real' business generation of value? Are the security vendors only interested in selling more kit? Is it worth building robust products and services with longevity that won't necessarily generate repeat business, entail a support contract or restrict usage and try to enforce over zealous licensing requirements?

Are we generating more complexity every second, introducing more nodes and depth of code rather than reducing it and improving the quality? Is this really an increase in efficiency and manageability? How many layers of abstraction and protocols before one gets to the data object?

b) Understanding the business: Bottom lines and risk management?

I agree that the technically orientated need to understand the business more, but the business guys need to understand the technical aspects of the platforms and systems they employ also. Maybe the security guys need to have security relationship managers facing off to other parts of IT and the business, or would this just complicate matters? Must each security dude/manager be a CSO and CTO in their own right? Are we asking too much or too little?

How can one employ risk management techniques without first understanding the flows and business processes, rather than just the distinct packets and security posture of systems in isolation. How does one map a business that is changing at such a fast pace 'under the hood' as it relates to operating systems, custom code, new rollouts, decomissioning etc. How up-to-date and intergal is your DNS, logging, NTP, routing, host database and asset management? How integrated and aware are your change management and operational monitoring systems? How much confidence do you have in all this information and the dudes, dudettes or elves performing the changes? And is this all required across the board from SME's and up?

c) Culture and generational: Youth vs. Age and wisdom of both?

Who wants the equivalent of a spotty youth or young buck trying to convey a different paradigm of the world to a well established businessperson who has made their mark and 'understands' the business fully? Many questions abound here ... how long has one been in their role, are they keeping up-to-date, do they actually care, is it all too much and how often is 'the changing of the guard' occurring in the higher echelons of a business?

d) Communication and quantification: Describing and conveying risk?

You can't manage what you can't measure. What metrics are available or employed to convey meaning and progress? How do you value your data, systems, IP flows and business systems other than the physical asset values? How do you translate these abstract concepts and systems to other business decision makers? Are analogies a poor substitute for direct real evidence? So at the end of the day, what you are going to communicate precedes the how.

“Some day, on the corporate balance sheet, there will be an entry which reads, 'Information'; for in most cases, the information is more valuable than the hardware which processes it.”
Grace Murray Hopper

Metrics, metrics, metrics ... what, how, where and when to measure? How do you enumerate the risks? Some progress is being made, but we are at a very early stage. Definitions are still somewhat wishy washy, frameworks are like standards... 'the beauty is that there are so many to choose from'.

When IT products and commercial code are more regulated and built with greater tolerances we'll all be in a better place.... see here!

e) Rate of Change and Future Shock: Telescoping, new paradigms and new physics?

A while back on the Security Metrics mailing list I started a debate on the new world physics employed when dealing with Information Security/Protection. Dan Geer had a great paper on the issue of time and the geographic, physical and technical issues faced in cyberspace versus the physical world. I highly recommend it.

Executives, managers and all aspects of business (including elves) are experiencing 'Future Shock'; which is basically a 'culture shock' in our own society and time, where the rate of change constantly removes our terms of reference and leaves us alienated. Are you still trying to ride the wave of information overload and how do you hope to address it? Or are you starved of the quality of data you require to make effective and critical judgements for your life, liberty and the pursuit of business/happiness?

Do we really need more elves and magic right now?

Thursday, March 01, 2007

It's much clearer now.

This explains many of my previous posts and some I am actually working on right now regarding 'Future Shock', e.g. moving towards a:

Funny how lots of research, conversations and other material leads you to the same conclusion after having come from many paths. Back to TED and Ray Kurzwell

Are Biology and Technology the keys? Kevin Kelly on TED

This has only strengthened my resolve to find balance, master the mind, and address certain internal needs. Where are we racing to and what happens when we get there?

Does Eamonn Healy know? Telescopic Evolution
( Another excerpt from Richard Linklater's Waking Life )

Interconnectedness and transcience abound.

With Peak Oil ( ABC Video ) a seemingly plausible near term future on earth, should we not all be planning ahead and focussing on what really matters in life?

I think perhaps searching for a middle ground between permaculture and IT will be my path / purpose.

Twitter'ish musings...

    Come join me on Twitter