The Yardstick Injection Attack
-
The Yardstick Injection Attack
No, it's nothing pornographic, but this is pretty funny. A brand new bank, with lots of high tech security finds itself vulnerable to a new type of injection attack. It seems the bank has sliding doors that require an RFID card to get through from the outside, but open in response to motion from the inside. Supposedly a high security setup.
Until someone takes a folding yardstick, slips it through the doors, and opens them without an RFID card.
It's a good story to illustrate why it's important for those that design security to get lots of feedback from the users and other designers to find the flaws in the system. Every system will have flaws, and as they become more complex, it's harder and harder for those building the systems to actually see all the possible ways that attacks might occur.
It's a good argument for Open Source, but it's an even better argument for disclosure. Having a security system that's secret isn't more secure, despite the fact that it seems it should be. There are some very, very smart people in the world and it seems a good proportion of them have decided to work on the far side of the law. If there's a hole, it seems they'll find it.
Security is a tough war to fight. It requires battle after battle against an ever-changing enemy and it never ends. I certainly understand how much of a pain it can be to adhere to rules and regulations in an IT environment, but most of those rules exist to try and make things more secure. It just takes some discipline to plug away at it for a few weeks.
And make it a habit so it fades into the background and you don't even notice the extra steps.
Steve Jones
-
I check out WTF every day (right after sqlservercentral.com) if I can. They tend to get sanctimonious at times (if you never have deadlines and never do anything new or cutting edge, you have a chance to avoid any and all WTF in your code -- I always grimmace when I look at my old code!)
I hope never to star there!
I really enjoy your site. Thanks for all you guys do.
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply