Publicity we can all do without

Publicity-seeking security researchers are a welcome boost to journalists, but they are a pain for serious security practitioners who spend many years developing and justifying security solutions for a largely resistant and doubting community of business managers and customers, only to find their efforts undermined by sensational media claims that their countermeasures are not 100% perfect. 
This week we have seen two sets of claims that undermine existing security solutions, and as a result might hold back their exploitation. The first is a claim by a former US Army computer security specialist that he has devised a way to break the security of Trusted Platform Module (TPM) chips through a sophisticated attack. Of course the press failed to point out that such an attack requires a high degree of skill and hundreds of thousands dollars worth of equipment to break a single chip, not something your average criminal is likely to have at their disposal. The second is the claim by Cambridge University that they can manipulate a stolen chip and PIN card to carry out a seemingly authentic transaction, despite the fact the attack requires specialised skills and equipment and is claimed to be detectable. 
Theoretical attacks prove little or nothing that we don’t already know. Information systems are not designed to have perfect security. They are designed to resist the level of anticipated attacks at an affordable cost. One would have thought that Cambridge University would have grasped this point having spent many man years attempting to research the economics of security. 
Whatever you might think about TPM chips and chip and PIN card systems, they both represent significant advances in security solutions, something that is unfortunately in short supply in an academic security community that increasingly prefers to break rather than build security systems.  

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Yes, why did Cambridge have to go public? The responsible thing to do was tell just the banks or security personnel, if banks had accused innocent cardholders of not being careful following such fraud.
Not only is Chip & Pin broken but also CAP which is used to verify online transactions is broken. A stolen card can be used to access online accounts and transfer money.
The Cambridge researchers *did* tell the banks two months ago. Furthermore, this equipment is no more sophisticated than the ATM skimmers that are already widely deployed, and only one criminal needs to understand the technical bits before a whole underground market has access to this attack. This is a very real attack, which might explain some of the "PIN Verified" phantom withdrawals that real customers are already making real complaints about.
@your previous commenter. The reason academic researchers make things public is because they're paid to do so. That's the job of a researcher to contribute to public knowledge. We informed the banks on at beginning of December privately, so they had time to deal with it before publication. That addresses the question of why we made it public: it's a requirement of the job. Why did we press release about it, and make a big song and dance, thats another question entirely...
Without public disclosure what makes you think banks would be responsible? Further good discussion here: Natural Result of Slouching Towards Medium Assurance
Another great idea from this useless Government seriously Flawed like the UK Govt certified encryption used for protecting those Kingston Pen Drives which proved to be seriously Flawed remember? Is the same UK Govt certified encryption guarding all the Data Basses which this Government are constantly adding our personal information to? Makes you wonder where all the 'Bank Money' really went does it not? Signed Carl Barron Chairman of agpcuk
Neither of the attacks you are refering to is theoretic. On the contrary, both represent practical implementations of attacks. They extend our knowledge by showing us ways of achieving that an attacker should not be able to achieve, and by giving us insight into the effort and side conditions required. I don't see any problem with doing such research and talking about it. I do see a problem, however, with the idea that we might just declare attacks "theoretical" without even trying to implement them in practice.