Home page logo

dailydave logo Dailydave mailing list archives

Re: Security Paleontology - The Jurassic Park rule
From: Wolfgang Kandek <wkandek () qualys com>
Date: Thu, 17 Jul 2014 09:40:02 -0700

Interesting thought. I listened to the following report on Visa' new
Checkout system on my home from work yesterday and it seems in line
with your suggestion. Online retailers get a one-time token for each
transaction from Visa's system which makes storage of card data
unnecessary at the retailer. I think that is comparable to how a
Paypal transaction would look like, but I  am not sure how the same
level of comfort (1-click buy) that we have today with credit card
storage can be reached with this type of system.



On Thu, Jul 17, 2014 at 6:51 AM, Dave Aitel <dave () immunityinc com> wrote:
I got a bunch of replies that said this:
Dave, enjoyed reading your rant, but I don't understand your punchline on
securing data --"but in fact, just to make it less valuable" - how do you do
make data less valuable?

So to bring us back to how you do this, let 's take a quick look at credit
cards and Target, which are the best example of an "If you collect it,
hackers will come" information security strategy. What Target really wants
is not Chip and Pin (or worse, Chip and Sign), but a transactional system
that is only good ONE TIME and to ONE PERSON. What they want is something
where I say "On this day please pay Target 11.50 USD" and then
cryptographically sign it. This is actually not that hard to do in the age
of smart phones and Google wallet.

If you steal a bunch of those signed blobs, NOBODY CARES. They are useful
only to Target and only for that one day. I guess you could datamine them
and find out I bought a toothbrush that rotates because I'm a sucker for
such things, but that's it.  We don't as a society have to fund a giant team
of FBI and SS agents to hunt down teenagers in Eastern Europe (those
headlines where we crow about arresting some teenager are embarrassing to
everyone involved).

In RSA's case you have to wonder why they have the key material for their
SecureID tokens in a DB of any kind at all? Just delete that stuff as you
create it. Instead of collecting data, how about NOT collecting data?
Wysopal likes to go on about "security technical debt", which is essentially
when you are building a system and you don't consider security and later you
have assess, retrofit, or junk the entire system (this is the credit card
system from A to Z in a nutshell). Honestly, this is something M&A people
really should take into consideration a lot earlier in their valuation

But there is also a technical debt associated with collecting any kind of
large database of information. This is counter-intuitive because having lots
of information is a very valuable thing for a corporation or Government
agency! But it is also a huge liability, and so building these databases
should be undertaken with caution. If you haven't asked "How can I make this
database valueless to anyone but me?" then you have already failed at
information security and you are left to worry about IT security instead.


On 7/16/2014 4:29 PM, Dave Aitel wrote:

Like many of you, I went to the theater with a child much too young and
re-watched new and more awesome 3D-Jurrassic Park until they cried loudly
enough to annoy the other theater-goers and wanted to leave. Because in 3D,
those big dinosaur things are scary. And also that dude gets eaten while on
the toilet.

And, honestly, looking at a lot of the security problems my friends are
dealing with  on the defensive side makes me re-iterate that I'd rather be
eaten, while on the toilet if necessary, by a large reptile than ever try to
convince someone that "cloud security" was possible. How are you going to do
anything securely in the cloud, when the core problem of performance
isolation is basically just a lot of hands waving over a lot of CPU's in the
basic architecture of perfidy that Seymore Cray would have cried to have
even dreamed about.

I know you all feel the same way about sitting through any presentations on
Internet Scale Performance - except all your IO is going over a cleartext
leased line through both China and Russia before coming back to you, on
machines whose hypervisors are all corrupted by malware that "can't possibly

And, of course, what my friends often want to know about is "the root
cause".  You can probably see the former-Saudi-contruction-project-managers
that make up a lot of Al Quada's command structure thinking the same thing.
"Maybe if we just stop using cell phones so much we'll stop getting eating
by the giant beasts that are hunting us?" And you can see Target's new team
using that same tone of voice except in a much nicer cave somewhere in
suburbia. "Hey, if we switch to whitelisting our point of sales systems,
will that prevent hackers from stealing all the credit cards that people
still use to buy their kids giant book bags that can double as Go Karts?"

And the answer, is of course, that if you put lots of sugar in a bowl, flies
will find a way to eat it.  Life will find a way! It's the Jurassic Park
rule, and it applies equally to credit card numbers,  RSA token key
information and State Department cables. The way to secure your data is not
to add layers of encryption and whitelisting, but in fact, just to make it
less valuable. You can see Archer saying "This is why we get Ants" right
here, and it's not a coincidence that INNUENDO's logo is a big ant head.


Dailydave mailing list
Dailydave () lists immunityinc com

Dailydave mailing list
Dailydave () lists immunityinc com

Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]