The security week that was: 03/14/08

March 14, 2008
A weekly surveillance of news shaping your profession

Dare our industry mention it? There was another hack of an access control technology in the last couple months. Apparently a graduate student right here from the U.S. of A., along with a pair of other computer researchers, managed to break the security for MIFARE Classic. I mentioned this on my blog over a week ago, and apparently the national media has since recognized this as well, with the Associated Press releasing a story two days agon on this same topic.

So here's what we know. There are numerous types of MIFARE technologies. Some are more secure than others. Some have basic security; some have practically no security; some have high security. In fact, NXP (the creator of MIFARE) released MIFARE Plus this week, which Henri Ardevol, general manager of automatic fare collection for NXP Semiconductors, said "offers unprecedented levels of security, privacy, compatibility and performance for entry-level smart cards, and is ideal for ticketing systems." The MIFARE Plus technology also is backwards compatible to MIFARE Classic (the type of MIFARE that was hacked) and can be used for facility access control.

There is one thing to note about this story, and I mention it in case you had not seen my blog post and might have read one of the national stories on this issue. MIFARE Classic was not used for credit cards and debit cards as was mistakenly reported in early versions of some newspaper stories. We noted that fact on our blog, but for persons without a background in security, it can be very easy to confuse the different MIFARE options available. In fact, the Smart Card Alliance responded to the Associated Press story which made that mistake (we had long-before pointed it out on the blog, and we have since added the SCA's very cogent response). The technology was, however used for tolls, transit fees and door access, with door access probably being of the greatest security concern. Even then, however, MIFARE Classic isn't the only technology used for badges and cards used with electronic door access control systems, so the concern might have been a bit overblown.

In the end, you have to get back to the unfortunate truth of security: If a man can secure it, another man can break that security. Levels of encryption that were once thought to be secure are now cracked with free programs available on the Web. Security never was meant to be static, and that's why R&D staffers work every day to keep one step ahead of the bad guys.

[On a different note: Obviously these hackers have the right to go public, and I think they do so to make a name for themselves. But wouldn't the more honorable (and profitable) response be to go directly to these companies privately with the hack?]

Research on converging risk
New data shows challenges and successes firms finding in converging security

Research on security convergence was released this week by Honeywell. The company's research division was in touch with CIOs, CSOs, and CISOs at U.S.-based global firms that had revenues from $1 billion to $100 billion. Some of what they found on convergence trends at these firms was surprising, and some seemed right on target. Our article covers the data, and Episode 24 of our podcast program brings aboard Honeywell's Peter Fehl and Novell's Ivan Hurtt (the two companies offer a converged access solution) to talk about trends in business security and risk convergence.

Covering the world of IP-based and integrated security systems

We've been busy behind the scenes recently building out a website that could serve as a repository for some of the best information about IP-connected and networked security solutions. The result is From network video to IP access control and integrated systems that communicate over standard network protocols, you'll find the information here. We recognize that there is a wealth of knowledge in our industry, and if you'd like to contribute to this site to build a comprehensive location for information on networked and converged physical security solutions, email me with your ideas.

Other news this week:
HSPD-12 contract, indictments for suspected terrorists, Chicago's cameras

Government technology services contractor EDS landed a $179 million contract with the Department of Defense's Defense Manpower Data Center (DMDC). This is where HSPD-12 and CAC implementations are done for the DoD. ... Indictments were made of four suspected eco-terrorists who are believed to have been involved with a fire nine years ago at a Michigan genetic research lab. ... Chicago has decided to use new technologies to network some of its school surveillance cameras so that police have real-time access. ... Canadian residential alarm firm AlarmForce reported a strong increase in quarterly profits, and it could be construed as yet another sign of the robustness within the security industry.

In the forums
Defining terrorism, plus networking at ISC West for members

Probably the most highly recommended thread this week comes from our Homeland Security & Global Terrorism discussion forum. I posed the question of "where do we draw the line between what is terrorism and what is not" and members weighed in to debate on where we draw that line. The discussion that followed is excellent and will absolutely make you think about what terrorism is.

ISC West meet-n-greet: If you're a member of our discussion forums and would like to catch up with some other members, we've posted the where and when details for this Vegas show. If you're not a forums member yet, join up today to talk technology and security management, and feel free to join us at our fledgling networking event.

Finally, we close as always with a look at the most read articles of the week on