[Dailydave] Security Paleontology - The Jurassic Park rule

Rafal ( Wh1t3Rabbit) Los Rafal at IsHackingYou.com
Thu Jul 17 14:46:42 EDT 2014


Wolfgang - this is both great and scary at the same time. People are historically horrible at managing passwords... so now we're going to a system where payment is determined by something we're bad at keeping secret? In theory this is a good idea, except for the password part. If they can figure out a way to make the *authentication* more 'secure' then I think it's a leap forward.

Thinking about it more, am I wrong thinking this is a shift in possible liability from the merchant (who had no hope of doing security right) to the end-user? With the token being useless (and the data now holding very little value) outside that merchant, doesn't the focus for attackers now shift to the user and their login name and password pair?

Just thinking out loud here.

/Raf

-----Original Message-----
From: dailydave-bounces at lists.immunityinc.com [mailto:dailydave-bounces at lists.immunityinc.com] On Behalf Of Wolfgang Kandek
Sent: Thursday, July 17, 2014 11:40 AM
To: Dave Aitel
Cc: dailydave at lists.immunityinc.com
Subject: Re: [Dailydave] Security Paleontology - The Jurassic Park rule

Interesting thought. I listened to the following report on Visa' new Checkout system on my home from work yesterday and it seems in line with your suggestion. Online retailers get a one-time token for each transaction from Visa's system which makes storage of card data unnecessary at the retailer. I think that is comparable to how a Paypal transaction would look like, but I  am not sure how the same level of comfort (1-click buy) that we have today with credit card storage can be reached with this type of system.

http://wnpr.org/post/visa-makes-big-move-boost-consumer-spending-online

-
Wolfgang


On Thu, Jul 17, 2014 at 6:51 AM, Dave Aitel <dave at immunityinc.com> wrote:
> I got a bunch of replies that said this:
> """
> Dave, enjoyed reading your rant, but I don't understand your punchline 
> on securing data --"but in fact, just to make it less valuable" - how 
> do you do make data less valuable?
> """
>
> So to bring us back to how you do this, let 's take a quick look at 
> credit cards and Target, which are the best example of an "If you 
> collect it, hackers will come" information security strategy. What 
> Target really wants is not Chip and Pin (or worse, Chip and Sign), but 
> a transactional system that is only good ONE TIME and to ONE PERSON. 
> What they want is something where I say "On this day please pay Target 
> 11.50 USD" and then cryptographically sign it. This is actually not 
> that hard to do in the age of smart phones and Google wallet.
>
> If you steal a bunch of those signed blobs, NOBODY CARES. They are 
> useful only to Target and only for that one day. I guess you could 
> datamine them and find out I bought a toothbrush that rotates because 
> I'm a sucker for such things, but that's it.  We don't as a society 
> have to fund a giant team of FBI and SS agents to hunt down teenagers 
> in Eastern Europe (those headlines where we crow about arresting some 
> teenager are embarrassing to everyone involved).
>
> In RSA's case you have to wonder why they have the key material for 
> their SecureID tokens in a DB of any kind at all? Just delete that 
> stuff as you create it. Instead of collecting data, how about NOT collecting data?
> Wysopal likes to go on about "security technical debt", which is 
> essentially when you are building a system and you don't consider 
> security and later you have assess, retrofit, or junk the entire 
> system (this is the credit card system from A to Z in a nutshell). 
> Honestly, this is something M&A people really should take into 
> consideration a lot earlier in their valuation process.
>
> But there is also a technical debt associated with collecting any kind 
> of large database of information. This is counter-intuitive because 
> having lots of information is a very valuable thing for a corporation 
> or Government agency! But it is also a huge liability, and so building 
> these databases should be undertaken with caution. If you haven't 
> asked "How can I make this database valueless to anyone but me?" then 
> you have already failed at information security and you are left to worry about IT security instead.
>
> -dave
>
>
>
>
> On 7/16/2014 4:29 PM, Dave Aitel wrote:
>
> Like many of you, I went to the theater with a child much too young 
> and re-watched new and more awesome 3D-Jurrassic Park until they cried 
> loudly enough to annoy the other theater-goers and wanted to leave. 
> Because in 3D, those big dinosaur things are scary. And also that dude 
> gets eaten while on the toilet.
>
> And, honestly, looking at a lot of the security problems my friends 
> are dealing with  on the defensive side makes me re-iterate that I'd 
> rather be eaten, while on the toilet if necessary, by a large reptile 
> than ever try to convince someone that "cloud security" was possible. 
> How are you going to do anything securely in the cloud, when the core 
> problem of performance isolation is basically just a lot of hands 
> waving over a lot of CPU's in the basic architecture of perfidy that 
> Seymore Cray would have cried to have even dreamed about.
>
> I know you all feel the same way about sitting through any 
> presentations on Internet Scale Performance - except all your IO is 
> going over a cleartext leased line through both China and Russia 
> before coming back to you, on machines whose hypervisors are all 
> corrupted by malware that "can't possibly exist".
>
> And, of course, what my friends often want to know about is "the root 
> cause".  You can probably see the 
> former-Saudi-contruction-project-managers
> that make up a lot of Al Quada's command structure thinking the same thing.
> "Maybe if we just stop using cell phones so much we'll stop getting 
> eating by the giant beasts that are hunting us?" And you can see 
> Target's new team using that same tone of voice except in a much nicer 
> cave somewhere in suburbia. "Hey, if we switch to whitelisting our 
> point of sales systems, will that prevent hackers from stealing all 
> the credit cards that people still use to buy their kids giant book bags that can double as Go Karts?"
>
> And the answer, is of course, that if you put lots of sugar in a bowl, 
> flies will find a way to eat it.  Life will find a way! It's the 
> Jurassic Park rule, and it applies equally to credit card numbers,  
> RSA token key information and State Department cables. The way to 
> secure your data is not to add layers of encryption and whitelisting, 
> but in fact, just to make it less valuable. You can see Archer saying 
> "This is why we get Ants" right here, and it's not a coincidence that INNUENDO's logo is a big ant head.
>
> -dave
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunityinc.com
https://lists.immunityinc.com/mailman/listinfo/dailydave


More information about the Dailydave mailing list