Mythbusters and RFID

[dalebert]

It's the difference between using rally good locks on your door or planting tall shrubs to conceal the doorless entry into your home.

In general, perhaps, but RFIDs are frickin' every where and going to be in even more places. There's no way to have a truly secret method of security. Lots of people will have to have access for them to be useful and that means it's silly to try to hide the method.

[John Edward Mercier]

It's the difference between using rally good locks on your door or planting tall shrubs to conceal the doorless entry into your home.

Not really a good comparison.
It would be more like casing a house and being able to find the entry, but not any locks protecting it.
Some auto customizers had systems where the door locks were shaved and the door opened remotely.
Obscures the lock and key.

[Pat McCotter]

Adding to this conversation is an article I just read in HSToday.us titled INFRASTRUCTURE SECURITY: SECURING SCADA.

Having worked in the power generation field since 1986 the article was all too familiar to me.

SCADA means Supervisory Control and Data Acquisition. It is how power plants - and factories in other industrial concerns - get data between machines humans can use (HMI - human machine interface) and machines that control the plant equipment (PLC - programmable logic controllers - and DCS - distributed control systems - to name two.)

Plant equipment used to be controlled by relay banks operated from panels local to the equipment. Then computers came along that could emulate relay banks using a language called ladder logic. (There is a lot of history here I am glossing over.) These computers were disconnected from any network. To let the the business folk know how the plant was operating a printout was sent daily that would be entered into the business computers.

The suits wanted real-time data so these control computers were hooked to PC's that were hooked to the LAN. This way the data could be read and transformed as the plant was operating.

Some managerial folks with awareness of how plants operate saw this and thought "What if we put some control elements in the PC and let the operators run some of this remotely? We could save money by not having people at every operating panel." So SCADA was networked but ... since these things had never been networked before there was no security implemented on them - anyone could get in if they could get on the LAN.

Then the LAN's were hooked to the internet! The plant walls were opened to the world!

Then the LAN's were placed behind firewalls and a lot of other security precautions. This again protected the plants. Now, though, we have wireless access to those LAN's. If security here is lax folks can drive by and see the network and attempt access.

All this boils down to - businesses want to save money; computers can handle tasks faster and more efficiently than humans; using computers we don't need as many people; we save money all around. Cut down on transportation/communication time and you save money. But you also increase risks of others getting into your system.

[Pat McCotter]

It's the difference between using rally good locks on your door or planting tall shrubs to conceal the doorless entry into your home.

Not really a good comparison.
It would be more like casing a house and being able to find the entry, but not any locks protecting it.
Some auto customizers had systems where the door locks were shaved and the door opened remotely.
Obscures the lock and key.

But, John, somebody knows the lock is there.

Previous employees, current employees, the lock manufacturer, the installer. How about the locksmith who needs to know how to open it when it breaks?

Then there are the other ways to get past the door - windows, walls, floor, ceiling, etc?

No matter how obscure the security there is going to be someone trying to get in if they think there is something of value or even if they just like a challenge.

[John Edward Mercier]

Obscurity doesn't mean that no one knows it exists.
It means limiting the number of people with knowledge about it.
And the depth of the knowledge of those that do.

 

[dalebert]

Obscurity doesn't mean that no one knows it exists.
It means limiting the number of people with knowledge about it.
And the depth of the knowledge of those that do.

Right, but doing that has historically resulted in less secure systems than those that are wide open to scrutiny and feedback, like open source software. It's a false sense of security.

[Pat McCotter]

We cannot limit knowledge of a security system.

Employees come and go. I just left a company where I was responsible for deploying VPN routers to operators so they could access the hydro plants from home. Upon leaving I turned in my VPN router and removed the router backup file from my computer. Also, the company has a process in effect that all plant routers I had access to are purged of my access credentials. Otherwise I could have bought another router and restored the backup and have continued access.

Because employees come and go there have to be people in the educational pipeline who know how to install, operate and fix these systems.

New systems are designed to overcome the flaws of older systems. The researchers know the new system. Students learn the new system to be able to work at the research firm, early adopters learn about the system as a possible replacement for existing systems.

[John Edward Mercier]

Not the same thing.

The credit card companies are trying to protect which cards might have RFID and which don't.
They're then trying to protect which use individual static tagging and individual random tagging.
Both of these are about obscurity of the system.

They also don't want to give any hints to the secondary either.

[John Edward Mercier]

We cannot limit knowledge of a security system.

Employees come and go. I just left a company where I was responsible for deploying VPN routers to operators so they could access the hydro plants from home. Upon leaving I turned in my VPN router and removed the router backup file from my computer. Also, the company has a process in effect that all plant routers I had access to are purged of my access credentials. Otherwise I could have bought another router and restored the backup and have continued access.

Because employees come and go there have to be people in the educational pipeline who know how to install, operate and fix these systems.

New systems are designed to overcome the flaws of older systems. The researchers know the new system. Students learn the new system to be able to work at the research firm, early adopters learn about the system as a possible replacement for existing systems.

Of course you can. Each level of security can be autonomous. And anyone caught 'testing the fenceline' could get fired.

[Pat McCotter]

But to be useful the credit cards with RFID must be read by a card reader - in a lot of different places. Those card readers must be able to know the card is there and that it can read it. Someone has to build the system, someone has to maintain the system.

If something is going to be used by many people, many people must know about it.

[Pat McCotter]

Of course you can. Each level of security can be autonomous. And anyone caught 'testing the fenceline' could get fired.

If the company didn't have a process to purge access credentials from systems then disgruntled ex-employees could get in. They can't fire them.

Security cannot be autonomous. A company is not going to have separate departments controlling access to different areas. One department will handle it, therefore autonomy is gone.

As a company I am also not going to call different locksmiths every time I need a lock changed. The guy I called to install them knows the system, he is going to be called to quickly handle the issue.

[John Edward Mercier]

'Testing the fenceline' is not an actual crime... in that there is no victim.
But employees tend not to do those things that they are told not to... or face termination.

[ByronB]

Not the same thing.

The credit card companies are trying to protect which cards might have RFID and which don't.
They're then trying to protect which use individual static tagging and individual random tagging.
Both of these are about obscurity of the system.

They also don't want to give any hints to the secondary either.

Obscurity in anything that people really want to know is, IMO, a thing of the past... the internet put an end to that... now about those nuclear bomb plans I was looking at...

[John Edward Mercier]

Only because of State mandate.

Look at obscurity this way.

If NH had a ban on handguns... the mere knowledge that it exists would make everyone less safe.
Because it would limit the means of personal defense.
If NH had a ban on conceallled carry... the mere knowledge that it exists would make everyone less safe.
Because it would make order of target acquisition much easier from a tactical standpoint.

Since no one has easily obtained knowledge of who owns and is carrying a concealled handgun... we are all safer because the risk of attack becomes lower. As State mandates make concealled carry less obscure the safety net diminishes.