[Dailydave] Security Paleontology - The Jurassic Park rule

Wolfgang Kandek wkandek at qualys.com
Thu Jul 17 12:40:02 EDT 2014 

Interesting thought. I listened to the following report on Visa' new
Checkout system on my home from work yesterday and it seems in line
with your suggestion. Online retailers get a one-time token for each
transaction from Visa's system which makes storage of card data
unnecessary at the retailer. I think that is comparable to how a
Paypal transaction would look like, but I  am not sure how the same
level of comfort (1-click buy) that we have today with credit card
storage can be reached with this type of system.

http://wnpr.org/post/visa-makes-big-move-boost-consumer-spending-online

-
Wolfgang


On Thu, Jul 17, 2014 at 6:51 AM, Dave Aitel <dave at immunityinc.com> wrote:
> I got a bunch of replies that said this:
> """
> Dave, enjoyed reading your rant, but I don't understand your punchline on
> securing data --"but in fact, just to make it less valuable" - how do you do
> make data less valuable?
> """
>
> So to bring us back to how you do this, let 's take a quick look at credit
> cards and Target, which are the best example of an "If you collect it,
> hackers will come" information security strategy. What Target really wants
> is not Chip and Pin (or worse, Chip and Sign), but a transactional system
> that is only good ONE TIME and to ONE PERSON. What they want is something
> where I say "On this day please pay Target 11.50 USD" and then
> cryptographically sign it. This is actually not that hard to do in the age
> of smart phones and Google wallet.
>
> If you steal a bunch of those signed blobs, NOBODY CARES. They are useful
> only to Target and only for that one day. I guess you could datamine them
> and find out I bought a toothbrush that rotates because I'm a sucker for
> such things, but that's it.  We don't as a society have to fund a giant team
> of FBI and SS agents to hunt down teenagers in Eastern Europe (those
> headlines where we crow about arresting some teenager are embarrassing to
> everyone involved).
>
> In RSA's case you have to wonder why they have the key material for their
> SecureID tokens in a DB of any kind at all? Just delete that stuff as you
> create it. Instead of collecting data, how about NOT collecting data?
> Wysopal likes to go on about "security technical debt", which is essentially
> when you are building a system and you don't consider security and later you
> have assess, retrofit, or junk the entire system (this is the credit card
> system from A to Z in a nutshell). Honestly, this is something M&A people
> really should take into consideration a lot earlier in their valuation
> process.
>
> But there is also a technical debt associated with collecting any kind of
> large database of information. This is counter-intuitive because having lots
> of information is a very valuable thing for a corporation or Government
> agency! But it is also a huge liability, and so building these databases
> should be undertaken with caution. If you haven't asked "How can I make this
> database valueless to anyone but me?" then you have already failed at
> information security and you are left to worry about IT security instead.
>
> -dave
>
>
>
>
> On 7/16/2014 4:29 PM, Dave Aitel wrote:
>
> Like many of you, I went to the theater with a child much too young and
> re-watched new and more awesome 3D-Jurrassic Park until they cried loudly
> enough to annoy the other theater-goers and wanted to leave. Because in 3D,
> those big dinosaur things are scary. And also that dude gets eaten while on
> the toilet.
>
> And, honestly, looking at a lot of the security problems my friends are
> dealing with  on the defensive side makes me re-iterate that I'd rather be
> eaten, while on the toilet if necessary, by a large reptile than ever try to
> convince someone that "cloud security" was possible. How are you going to do
> anything securely in the cloud, when the core problem of performance
> isolation is basically just a lot of hands waving over a lot of CPU's in the
> basic architecture of perfidy that Seymore Cray would have cried to have
> even dreamed about.
>
> I know you all feel the same way about sitting through any presentations on
> Internet Scale Performance - except all your IO is going over a cleartext
> leased line through both China and Russia before coming back to you, on
> machines whose hypervisors are all corrupted by malware that "can't possibly
> exist".
>
> And, of course, what my friends often want to know about is "the root
> cause".  You can probably see the former-Saudi-contruction-project-managers
> that make up a lot of Al Quada's command structure thinking the same thing.
> "Maybe if we just stop using cell phones so much we'll stop getting eating
> by the giant beasts that are hunting us?" And you can see Target's new team
> using that same tone of voice except in a much nicer cave somewhere in
> suburbia. "Hey, if we switch to whitelisting our point of sales systems,
> will that prevent hackers from stealing all the credit cards that people
> still use to buy their kids giant book bags that can double as Go Karts?"
>
> And the answer, is of course, that if you put lots of sugar in a bowl, flies
> will find a way to eat it.  Life will find a way! It's the Jurassic Park
> rule, and it applies equally to credit card numbers,  RSA token key
> information and State Department cables. The way to secure your data is not
> to add layers of encryption and whitelisting, but in fact, just to make it
> less valuable. You can see Archer saying "This is why we get Ants" right
> here, and it's not a coincidence that INNUENDO's logo is a big ant head.
>
> -dave
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>

More information about the Dailydave mailing list