[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0606271744520.6281@catbert.rellim.com>
Date: Wed Jun 28 01:56:24 2006
From: gem at rellim.com (Gary E. Miller)
Subject: Sniffing RFID ID's ( Physical Security )
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yo Josh!
On Wed, 28 Jun 2006, Josh L. Perrymon wrote:
> From a pen-testing perspective: What do you guys think that large companies
> would say about this risk? Is this valid enough to cause change in an
> organization. Or is this like most everything else we see.. reactive only.
> Will it take a major breaking or loss before A fortune 500 company would
> pull out their insecure RFID system?
Just like any other software vulnerability.
First, no one will believe it is possible. So you demonstrate that you
can hack the system.
Two, the vendor and management will claim that either you used inside
information not available to an attacker, or that criminals are too
dumb to duplicate what you did. So you put your concerns in a memo as
an "I Told You So".
Three, while everyone is in denial there will be mysterious and
unexplained disappeances. Everyone if baffled.
Four, some high profile site will publicly succumb to this attack.
Everyone involved will proclaim they had no idea such a thing was
possible, your memo has been shredded.
RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
gem@...lim.com Tel:+1(541)382-8588
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEodOp8KZibdeR3qURArsqAJ9rxNstl9Kos2+uMiADFjSjuiTIegCfcWGo
1piwhFVM1+/1KVInC9ETl0Y=
=rCdl
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists