Hackers Inside the Reader
In the world of physical security, especially at sensitive locations, security staff perform intrusion tests to see if they can get past the security layers (guards, access control, intrusion detection sensors, X-ray machines, etc.). At least for the physical security operations of these intrusion tests, the results are generally kept pretty close to the chest, and intrusion tests from outsiders (like investigative reporters, for example) are generally treated as hostile.
Not so for the world of network security. In a previous "Weekly Recap", I reported recently of how an online site called Wabisabilabi had introduced online auctioning of network/software security flaws. At events like the recent DefCon, it's public spectacle to demonstrate security vulnerabilities. Most of these done as ways to put public pressure on companies (Microsoft has long been a target, and Apple was a recent target with the iPhone hack) to fix their security flaws. Such was the case in August, when a German security researcher found how to crash the chip readers which are used to pull information off the new U.S. passport, a.k.a., the e-passport. The new passports use a smart-card-like chip that contains electronic versions of the information in the passport. The researcher, according to tech magazine Wired, also was able to learn how to read some of the data on the passport chips.
Now, while I haven't seen the hack in person, the report seemed pretty credible. What's incredible, I think, is that while our country is barely able to get the e-passport issuance rolling and beyond an issuance backlog (since the program is literally brand new), we already seem to need a technology update. Crashing a reader, it seems, is the first step in "hacking" a reader. Commonly buffer over-runs (a way to crash IT technology) are then exploited to take control of the device. With hope, that isn't applicable for the passport chip readers, but I wouldn't trust that not to happen.
I heard recently a discussion among IT security pros about why hackers seem to be paying more and more attention to physical security and electronic access control devices (take the recent "cloning" of proximity cards as proof). "It's a whole lot easier for them to hack into your network if they're already in your building." True enough.
In the Forums
Finding technical jobs; Security department revenue
The forums at SecurityInfoWatch.com have been growing by leaps and bounds over this last year, and we're pleased to introduce a new sub-forum: Technical Security Jobs. This sub-forum is a place where alarm companies, integrators, even vendors, can post online listings recruiting candidates. If you're looking for talent in the security industry, post your job in that forum today.
In our Security Operations & Management forum, check in on the interesting thread about a manned (officers/guards) security department at a mall that was instructed to start becoming a profit center, rather than a cost center. The discussion (and outrage) is an interesting point-and-counterpoint about what the role of security should be and whether it's OK to be a cost center as long as you're doing your job. On that same note, Bob Hayes and Kathleen Kotwica of the Security Executive Council shared some tips in our article "Measuring the Business Value of Security". If ROI and "cost center vs. profit center" are issues you're dealing with, check out Bob and Kathleen's ideas about metrics and proving your department's worth.
Showtime for Security
ISC East around the corner, ASIS Int'l not far off!
Don't forget to market your calendars for upcoming shows ISC East (New York, Sept. 11-12) and ASIS International Seminars and Exhibits (Vegas, Sept. 24-26). These two venerable shows not only feature excellent educational sessions, but more products and vendors than you can shake a stick at. Expect to be wear comfortable shoes at each; they're both reporting excellent vendor attendance, and ASIS says it has sold out of space. There's still room for attendees, of course. SecurityInfoWatch.com will be doing live reporting from both shows -- as you've come to expect.