From: Thompson, Jimi (JimiT@mail.cox.smu.edu)
Date: Wed May 12 2004 - 17:43:51 EDT
<SNIP>
> It seems to me that some of these attacks sound great at first, but
break
> down when you consider how it would REALLY play out. For one, if you
get on the train and inventory everyone's clothing...how do you know
which shirt
> goes with which pants or shoes?
Easy - signal strength.
</SNIP>
Let's go back to our hypothetical commuter train for a moment. I think
that this would be more valuable in a targeted attack than a general
fishing expedition. Let's pretend for a moment that I'm a black hat and
I'm looking to score. The one thing people carry with them that's the
most valuable is data. If I've been hired by ABC Company to snoop on
XYZ Company, all I have to do find out which train the Finance Manager,
Senior Director John Doe, rides on. Now I walk up to him, and instead
of bumping into everyone on the train, I just bump into John Doe. By
doing this, I've just cloned the contents of his wallet, PDA, cell
phone, and briefcase. If the business cards he's got tucked away carry
RFID, I know who his business contacts are. His cell phone will give me
even more data. Since cell encryption is a joke, at least in the US, I
should be able to tap in to all the important cell numbers and monitor
their discussions. I might even be able to remotely activate the phone
and with the contents of his PDA, I'll have a better idea of when I want
to listen. I can probably find out what his credit cards are being used
for, even if I can't charge things on them myself. I'll know where he
shops, since his clothing and other items all have RFID. How much more
do you want to "own" someone? Using the information that tapping his
personal data gives me, I can expand my net to include other employees
of XYZ Company. If he's doing anything indiscreet, I'm going to know
about it in fairly short order and then he's really mine.
<SNIP>
As for credit cards, this is extremely easy to deal with. The cards
> themselves that have been seen so far have a very limited range,
measured in
> inches. I can think of a wallet design that would shield the cards a
bit,
It's a plan, but this is just asking for the Black Hat to use a
stronger transceiver. It's just building a higher fence; not really
a long-term solution.
</SNIP>
I can't get end users to quit downloading on line Casino software. I'm
certainly not going to be able to get them to purchase shielded wallets!
<SNIP>
> up against everyone like a comically-indiscreet pickpocket. And this
all
> assumes that all the credit cards in the wallet don't respond at the
same
> time, on the same frequency, thus garbling the results.
</SNIP>
Again, I think this is far more likely to be used in a targeted attack
than a generalize attack.
<SNIP>
Unfortunately, the real world dictates that security be a feature of
pretty well everything.
</SNIP>
<SNIP>
I imagine that a database will be built which will list individual
numbers, and ranges of numbers, which are known to correspond to
specific items.
</SNIP>
You mean like the lists that exist of police and fire radio frequencies,
which are supposed to be "secret".
<SNIP>
> A RFid tag has big limitations too, once you chop off part of the
antenna
> it's worthless. The physics of radio waves limits that.
</SNIP>
Why should the attack simply be to read the data? What if I replace the
data? Or what if I just destroy the data? Or if I'm a terrorist and I
want to hide my identity? Can I obscure the data from law enforcement
while I'm in a crowd at say a rock concert?
2 cents,
Jimi Thompson
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:54 EDT