The security industry now functions in a new world: one where companies who release networked products and systems that are not ready for safe deployment will find that their customers quickly become aware of it. Here is a question I received from a security practitioner who approached his IT department about putting security systems onto the corporate network, to achieve a number of important benefits.
Q: I told IT that I wanted to put two of our security systems onto the corporate network. They asked me for vendor names, software and firmware version numbers and release notes, and vulnerability disclosures. What is a vulnerability disclosure, and why are they asking for it?
A: Vulnerability disclosure is: (a) the practice of publishing information (disclosures) about a computer security problem, and (b) a type of policy that specifies guidelines for doing so. Disclosure may be published by the person or organization that discovers the vulnerability, or by a responsible body such as the Computer Emergency Response Team (CERT). Sometimes the vendor is alerted prior to disclosure, and is allowed a certain amount of time to fix the problem before the vulnerability information is published. CERT's Vulnerability Disclosure Policy can be read here: www.cert.org/kb/vul_disclosure.html.
IT folks ask for vulnerability disclosures because they are responsible for seeing that all systems and devices are deployed in a secure manner on their network. They need information to do this. In the absence of such information, a researcher may be tasked with collecting information and identifying vulnerabilities, including by examining the products or systems directly. Direct examinations are becoming more commonplace.
Video System Attack
Last year at the DEFCON conference, which describes itself as "The Hacker Community's Foremost Social Network," a network research firm (people who do network penetration testing for a living) hacked a brand-name system and fed back copied video into its video display and recording stream. They picked up an object off a table, but the video system showed the object as still being there. This type of attack is called a "replay attack," where data recorded earlier is played back later and fed into the system.
A sophisticated version of this attack would involve injecting captured video data of the object removal several hours later in time from when it actually occurred. The system's time-stamped video would then provide "evidence" of the object's removal at a time when the attackers were several hours away, establishing a solid alibi. The recorded video would be properly watermarked by video management software, thus falsely "authenticating" the fact that the attackers "could not have done it."
You can download the 50-minute video of the presentation from the DEFCON home page (www.defcon.org), under the heading "Advancing Video Application Attacks with Video Interception, Recording, and Replay."
Access Control System Attack
Last month at CarolinaCon, an annual hacker's conference in North Carolina, security researcher Shawn Merdinger presented his successful attack on a name-brand networked access control system. He commented in the presentation, "The problem is that they [facilities and physical security] have this convergence ... and they are slapping this stuff onto your network. So you need to be aware of what's going on." Not only does he demonstrate how easy it was to hack the access control system, he puts the company's marketing statements up on the screen about how safe it is to connect the system to the Internet. He then demonstrates an Internet search that locates many such systems on the Internet which are wide open to the type of hack he demonstrates. Like any good security researcher, Shawn reported the vulnerabilities to CERT/CC and worked with them to follow responsible disclosure practices. He also outlined steps to mitigate their impact.