Episteme

Mike's random thoughts and ramblings

Either it's a slow news year...

... or I should be submitting a whole pile of talks to next year's Blackhat. I just read the latest article over at Dark Reading about Matasano's upcoming Blackhat talk where they take apart a protocol that is used for financial transactions that is GASP badly designed and implemented!

I don't know if this is just Dave & Thomas going on their reputation as security bad-asses (which they are), but any time I've seen a protocol designed for use in a particular vertical, it had many of the same design flaws described in Kelly's article. Whether in insurance, finance, health care, or whatever, this type of error abounds.

I remember a particular engagement at a large hospital that was running on one of these specialty protocols. The protocol was incredibly secure - if you connected to the appropriate port on any number of their systems, and issued a single byte command, it would send you the next patient record on its record stack. And if you issued a different (but equally complex) command, the system would allow you to input or modify whatever patient records it contained. No authentication, no authorization. No encryption.

And did I mention that this travelled over a wireless network?

I don't know that what Dave & Thomas are presenting is that unique - it's cool that they're going to do it, and I'm excited to see the talk. But they're just scratching the surface of the tip of a very, very, very large iceburg.

Share this post

About the author

Michael Murray

Michael Murray