Dan Kaminsky, Director of Penetration Testing at IOActive, discussed a new Web vulnerability at the Toorcon Security Conference on April 19, 2008. Ad injection systems at major ISPs, including Earthlink and Verizon, were vulnerable to cross-site scripting attacks. These systems mimic the entire Web as part of daily operations; therefore, their vulnerabilities affect everyone’s domains. Users at these ISPs were at risk and their sensitive data was jeopardized—credit card numbers, email information, and passwords—which could have caused considerable damage if left untreated.

The full press release is available here

In a public statement released on February 28, 2007, HID Global Corporation stated:

"HID Global did not threaten IOActive or Chris Paget, its Director of Research and Development, to stop its presentation at the Black Hat event being held in Washington, DC..."

And further stated:

"Under no circumstance has HID asked IOActive or Mr. Paget to cancel their presentation. In fact, we were surprised by their decision to cancel the presentation and to attribute the cancellation to a threat from HID. This was not, and never was, HID's position."

IOActive would like to provide interested parties with the facts surrounding the relevant communication that was received by IOActive on this matter, and formed the basis of business decisions made by IOActive regarding the Black Hat presentation.

The ACLU has made the text of the letter received by IOActive from HID Global Corporation available here >>

At IOActive, we have noted that some of the press coverage, weblog postings, and commentary on the recent disagreement with HID Global Corporation state or imply that the schematic diagrams and source-code that were redacted from our presentation at Black Hat were in fact the property of HID Global Corporation.

IOActive would like to clarify that the electronic design of our device, the associated schematic diagrams, and the source-code for the micro-controller component were developed by IOActive completely independent of any HID documents, and were principally based on information available on the Internet regarding RFID technology. In fact, we did not view any documentation prepared or produced by HID Global Corporation about their technology until after we received their demand letter.

IOActive's redacted presentation on RFID security is available here >>

As an active member of the information security community, IOActive is committed to protecting organizations and the public against technical threats. For example, IOActive was one of the early private sector companies to offer volunteer security services to the FBI in performing steganographic analysis of data traffic immediately after 9/11. IOActive has also donated well over $250,000 dollars worth of services to non-profit organizations and universities.

As part of ongoing research into the efficacy of various security technologies, IOActive began exploring RFID technology from a security perspective. In particular, we became interested in the application of the technology in proximity badges commonly used to control physical access to buildings and data centers.

Since IOActive's offices are located in a building that uses this proximity badge technology, and also houses components of the nation's critical infrastructure, IOActive launched a research and development effort to help us better understand the exposures and vulnerabilities related to this technology.

As IOActive's researchers explored the security aspects of proximity badge technology, they became interested in validating long-standing theoretical attacks, taking them out of the academic realm, and verifying through actual implementation that such attacks might be practical and easily carried out.

The concepts behind this attack are not new. Indeed, most of our efforts in validating the effectiveness and ease of this attack involved reviewing research already performed by others in this area. In fact, HID Global Corporation, the leading manufacturer of these kinds of systems has published a white paper that describes their next-generation contactless smart card technology, and the advantages of this technology over traditional proximity badges. In describing these advantages, this paper highlights potential vulnerabilities in proximity badge technology.

The HID Global Corporation white paper is two years old, and available at their website:

http://www.hidcorp.com/pdfs/HID_wp_smartcardAC.pdf

IOActive used its research to prepare a briefing for security professionals to be presented at the February 28, 2007 Black Hat Convention. IOActive's intention was to raise awareness among security practitioners regarding the vulnerabilities of this technology, and to highlight the idea that no technology should be the sole mitigating control protecting important organizational assets. IOActive's intended message was that the use of this technology should be as merely one component in a Defense in Depth strategy. The effective implementation of such a strategy must encompass people, process, and technology. If, due to particular organizational drivers, greater reliance must be placed on the technology, then systems that offer additional security features (such as HID Global Corporation's iClass products) should be considered.

HID Global Corporation learned of our intended briefing, contacted IOActive, and demanded that IOActive refrain from presenting our findings at the Black Hat Convention, on the basis that "such presentation will subject you to further liability for infringement of HID's intellectual property." In HID's view, our proposed presentation on proximity badge technology potentially infringed their patents (U.S. Pat. Nos. 5,041,826 and 5,166,676).

As a consequence, under advice of counsel, IOActive has withdrawn its presentation at the Black Hat Briefings, in order to address the demands of HID Global Corporation, and to protect IOActive's researchers from adverse action.

We would like to thank everyone at Black Hat, CMP, the ACLU, and K&L Gates for showing their support in this matter.

Very Kindly,

Joshua J. Pennell

Founder and President, IOActive, Inc.

Read The ACLU's Comments here >>

More Articles Available here >>

Engineers from the Seattle Security Firm Show Local Reporter Just How Easy it is to Break into a Wireless Router

Engineers from the Seattle-based information security services firm showed a local news reporter from KIRO Channel 7 just how easy it is to break into a standard wireless router or access point. IOActive security consultants Damon Cortesi and Walter Pearce, had the reporter type in a password used to access and configure a wireless router (just like the routers used in many thousands of homes across the country). The team then cracked the password and showed it to the reporter within a matter of minutes, using off-the-shelf computers and specially written software tools.

In addition to cracking the password the reporter had used, the team was able to watch and record the websites the reporter visited. As a final demonstration of the security weaknesses inherent in the technology they obtained the credit card number along with other personal information the reporter used to make a sample purchase on Buy.com.

The segment is set to air on Channel 7 KIRO in the Seattle-Tacoma area following the Superbowl broadcast on Sunday, February 7th, 2007. 

Damon and Walter work for IOActive, a rapidly growing information security services firm established in 1998. In addition to being one of only three firms in the world tasked with helping Microsoft secure its brand new Vista operating system, IOActive has helped various Fortune 500 organizations with services ranging from enterprise risk management to independent technical validations of security hardware and a wide range of applications.

IOActive’s advisory board is headed by Steve Wozniak, and the company is staffed with highly technical consultants with extensive experience from various backgrounds including law enforcement, financial services, software development, and advanced governmental research.

If you would like more information about this topic, or would like to schedule an interview with any of IOActive’s technical resources call Dan Schaffner at 206.784.0222 or email using daniel.schaffner ( AT) IOActive (DOT) com