May 2008 Archives

I just came across this article announcing Schlage and Z-Wave releasing a wireless door knob/lock. I'm honestly in shock. Given the history of very breakable security measures seen in supposedly secure wireless protocols (802.11a/b/g/n, WEP, WPA, LEAP, Bluetooth, etc), I don't see this as being any sort of good idea. As far as I know, there are no current security issues with Z-Wave's technology. Then again, I haven't heard of anyone actually taking a close look at it. I can virtually guarantee that once one of the many wireless security experts out there decides to break it, it will happen quickly.

While most of you might be thinking that I'm a nut for blasting this without first trying it myself, but there is a reason this is a bad idea. It comes down to forensics and liability. Suppose someone breaks in to a house protected by one of these units by exploiting the wireless controller. Aside from a bunch of missing stuff, there is no evidence that someone actually broke in. Even in the best cases (excluding some bumping), a picked lock will suffer irregular scratches inside the keyway. Brute force entry has obvious tell-tale signs. Wirelessly hacked locks would likely not be able to be discerned from ones that were simply left unlocked, or ones that had malfunctioned. When it comes to getting your insurance company to cover that, they'll likely laugh at you and refuse to reimburse you for losses.

In short, this sounds fun for keeping the kids out of the utility closet, or perhaps for some other hobby use, but don't use it to protect ANYTHING important.

Anyway, the video doesn't exactly go in to any sort of detail... on anything... but it's still a reasonably good showing for White Badger Group. Here's the link to the page with all the videos for the different regions, and here's the video for Lehigh Valley, which is the one we're in. Enjoy.

Every good security professional has a healthy respect for the unknown, which usually is tagged as paranoia. An appropriate amount of paranoia in the right area leads to being quite effective in securing the network you're in charge of. The key is education. This doesn't mean that you need a degree in watching over your shoulder, but you should know what to be afraid of, and how to make sure you know if/when trouble is happening.

Listening to a recent Pauldotcom podcast, the point was made that most people don't really get serious about securing their code or systems until they've personally been attacked. The other side of this is that actually doing some of the attacking and seeing it work firsthand usually has the same effect. As such, it's important that all IT professionals get that experience some time in their careers.

I find it very interesting how human psychology impacts the information security industry. To me, it seems very straightforward. You have something of value, bad people want it, you need to protect yourself. There's nothing outlandish or new there, that concept has existed since the beginning of life. But somehow, despite our advanced intelligence and civilized society, we all seem to have a default naiveté when it comes to information and IT security. I suppose this effect also occurs elsewhere, such as when a person doesn't regularly wear a seat belt until he/she has been in a serious car accident.

Given the above, it's not difficult to understand why FUD-style (fear, uncertainty, doubt) marketing is necessary and does work. Placing someone in a scared mode is an incredibly effective method for switching them from actively opposing security to actively embracing it.

To be an effective information security professional, what you need is a balanced, aware, and fact-driven sense of paranoia. A proper balance is struck when your paranoia drives you have a constant need for security while not blinding you to the reality of your environment. As such, you need to be incredibly aware of the organization you are working within. While security is important, it needs to coexist with functionality, usability, and visibility, while also making the political, budgetary, and regulatory parts of the equation work. Because paranoia is a 100% emotional response, it's important to keep it properly in check. All decisions need to be passed through a filter of reasonability and facts, so that you don't spend all of your resources defending unevenly against the threat that scares you the most.

I think all good security professionals possess the right kind of paranoia that drives them to stay effective and not become stagnant or complacent. I personally think every IT professional would do well to acquire a bit of the paranoia. While this usually comes as a result of a negative experience, it can also be had by way of a class with hands-on hacking. However you get it, your effectiveness and career will benefit greatly, as will the security of everything you touch.