I recently attended the recent BlackHat Europe briefings in Amsterdam and attended a number of the many interesting talks. The briefings highlighted the many extremely intelligent and dedicated professionals there are within the information security field who work tirelessly to help us better defend our networks from those with less admirable goals.
Two talks in particular got me thinking about our rush as an industry to get new technologies to market without proper research into the implications of deploying that technology. The old adage “Those who do not learn from history are bound to repeat it” applies equally to IT as it does to any other walk of life. Yet despite the much publicised and widely known security holes in products and technologies that have been released in the past, we are still pushing new technology into the market without adequately protection.
Adam Laurie, CSO for The Bunker, gave an excellent talk on the weaknesses inherent with RFID technology. Adam demonstrated how RFID chips can be cloned with equipment easily sourced and not overly expensive. RFID tags used in applications such as access control to pet tracking where demonstrated to be easily cloned. More information on Adam’s research can be found at http://rfiditiot.org, while his presentation can be viewed at the BlackHat website.
Another interesting talk was give by Phillipe Langlois on SS7 and communication networks. Yet again technology is being pushed out without the underlying foundations being made secure. Phillipe’s presentation does this topic a lot more justice than I could.
But the underlying message I took away from BlackHat is; why are we as an industry not learning from history and taking the time to ensure the technology we use is fit for purpose and secure? Is it because as an industry we are so caught up with the latest and greatest new thing that we do not take time to learn our lessons from history. The argument regarding speed to market and grabbing commercial advantage holds little water if a security breach in the above technologies results in the loss of critical services or worst case the loss of life.
Or perhaps the saying “you don’t have to be mad to work in IT, but it certainly helps” may be truer than we like to admit. After all as Einstein is quoted as saying, “The definition of insanity is doing the same thing and expecting a different result.”