Have you watched the show, "Cheating Vegas"? What do you think of criminals high-tech sophistication?
I distributed a case study of a hacker who took on ATM security. He purchased an ATM machine and associated documentation, something costing him thousands of dollars. This allowed him to write boot code that would provide a substantial pay out.
This morning, I decide to wake early, sip my Gevalia coffee, and watch a little TV. The show "Cheating Vegas" detailed a pair of criminals who engineered some two decades of slot machine cheats.
Starting first by raising $1000 to buy a current slot machine...
These were paroled criminals. Very little electronics background. Just an uncanny ability to deduce security vulnerabilities in mechanical systems. Even as the slots went from mechanical triggers to optic sensors, they hobcobbled lights on a wand that would trick the machine into dumping quarters into the bucket.
And that is the lesson for me... America's products simply must engineer against the criminal factor. We can't assume strategic weaknesses in products won't be noticed by increasingly determined criminals, who will exploit your organization's product and service vulnerabilities.
The ATM exploit example I cite is especially pungent. After confirming the vendor provided NO secure boot code verification process, the next finding continues to baffle me. The vendor not only used the same key for every one of its 22,000+ internationally located ATMs; the vendor sold the hacker one of those keys for less than 10 bucks, enabling him to attack any ATM sold by the vendor. Located ANYwhere!
No one is revealing the cost of implementing a secured boot image and varying those new key/lock tumbler combinations on those thousands of existing systems located internationally. But let's speculate on the costs to implement security, correctly, in the product design and roll out process?
Security is mission-critical for more than just software development...