The security industry now functions in a new world: one where companies who release networked products and systems that are not ready for safe deployment will find that their customers quickly become aware of it. Here is a question I received from a security practitioner who approached his IT department about putting security systems onto the corporate network, to achieve a number of important benefits.
Q: I told IT that I wanted to put two of our security systems onto the corporate network. They asked me for vendor names, software and firmware version numbers and release notes, and vulnerability disclosures. What is a vulnerability disclosure, and why are they asking for it?
A: Vulnerability disclosure is: (a) the practice of publishing information (disclosures) about a computer security problem, and (b) a type of policy that specifies guidelines for doing so. Disclosure may be published by the person or organization that discovers the vulnerability, or by a responsible body such as the Computer Emergency Response Team (CERT). Sometimes the vendor is alerted prior to disclosure, and is allowed a certain amount of time to fix the problem before the vulnerability information is published. CERT's Vulnerability Disclosure Policy can be read here: www.cert.org/kb/vul_disclosure.html.
IT folks ask for vulnerability disclosures because they are responsible for seeing that all systems and devices are deployed in a secure manner on their network. They need information to do this. In the absence of such information, a researcher may be tasked with collecting information and identifying vulnerabilities, including by examining the products or systems directly. Direct examinations are becoming more commonplace.
Video System Attack
Last year at the DEFCON conference, which describes itself as "The Hacker Community's Foremost Social Network," a network research firm (people who do network penetration testing for a living) hacked a brand-name system and fed back copied video into its video display and recording stream. They picked up an object off a table, but the video system showed the object as still being there. This type of attack is called a "replay attack," where data recorded earlier is played back later and fed into the system.
A sophisticated version of this attack would involve injecting captured video data of the object removal several hours later in time from when it actually occurred. The system's time-stamped video would then provide "evidence" of the object's removal at a time when the attackers were several hours away, establishing a solid alibi. The recorded video would be properly watermarked by video management software, thus falsely "authenticating" the fact that the attackers "could not have done it."
You can download the 50-minute video of the presentation from the DEFCON home page (www.defcon.org), under the heading "Advancing Video Application Attacks with Video Interception, Recording, and Replay."
Access Control System Attack
Last month at CarolinaCon, an annual hacker's conference in North Carolina, security researcher Shawn Merdinger presented his successful attack on a name-brand networked access control system. He commented in the presentation, "The problem is that they [facilities and physical security] have this convergence ... and they are slapping this stuff onto your network. So you need to be aware of what's going on." Not only does he demonstrate how easy it was to hack the access control system, he puts the company's marketing statements up on the screen about how safe it is to connect the system to the Internet. He then demonstrates an Internet search that locates many such systems on the Internet which are wide open to the type of hack he demonstrates. Like any good security researcher, Shawn reported the vulnerabilities to CERT/CC and worked with them to follow responsible disclosure practices. He also outlined steps to mitigate their impact.
In the IT world, vulnerabilities are hunted and found as a matter of normal daily business by network research firms whose role it is to find vulnerabilities so that they can be fixed. They also perform penetration testing for their customers, who require verification that their own systems are being maintained at an acceptable level of security.
From now on, it will be the rule rather than the exception that hacker conferences will include sessions on how to hack physical security systems-just like they contain sessions about hacking telephones, Web servers, information systems and so on.
Whether you are a manufacturer, a consultant, a systems integrator or an end-user customer - it is now critical that you begin paying attention to the vulnerabilities of the products and systems you provide or depend on.
Right now, you can't go wrong assuming that all physical security systems are vulnerable as shipped from the factory. I was about to write that I know of no commercial off-the-shelf system that ships with specific instructions for secure network deployment or system hardening. Then I learned from my network research colleague Rodney Thayer that Firetide (www.firetide.com) did include hardening information in one of its installation documents - but buried in the midst of other things as opposed to highlighted front-and-center, as the industry needs.
The good news is that this picture is starting to change and Security Technology Executive is dedicated to reporting those changes and improvements to you.
Editor's Note: An expanded version of this article is available at SecurityInfoWatch.com.
If you have convergence experience you want to share, e-mail your comments to me at ConvergenceQA@go-rbcs.com or call me at 949-831-6788. If you have a question you would like answered, I'd like to see it. We don't need to reveal your name or company name in the column. I look forward to hearing from you!
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 22 years. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).