Announcement

Collapse
No announcement yet.

Major Malfunction makes the news again

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Major Malfunction makes the news again

    Adam is once again turning heads and awakening the clueless with regard to poor security. The latest fish reeled in and gutted is a big one... RFID passports.

    http://www.guardian.co.uk/idcards/st...950226,00.html

    Six months ago, with the help of a rather scary computer expert, I deconstructed the life of an airline passenger simply by using information garnered from a boarding-pass stub he had thrown into a dustbin on the Heathrow Express. By using his British Airways frequent-flyer number and buying a ticket in his name on the airline's website, we were able to access his personal data, passport number, date of birth and nationality. Based on this information, using publicly available databases, we found out where he lived, his profession, all his academic qualifications and even how much his house was worth. It would have been only a short hop to stealing his identity, committing fraud in his name and generally ruining his life.

    Great news then, we thought, that the UK had just begun to issue new, ultra-secure passports, incorporating tiny microchips to store the holder's details and a digital description of their physical features (known in the jargon as biometrics). These, the argument went, would make identity theft much more difficult and pave the way for the government's proposed ID cards in 2008 or 2009.

    Today, some three million such passports have been issued, and they don't look so secure. I am sitting with my scary computer man and we have just sucked out all the supposedly secure data and biometric information from three new passports and displayed it all on a laptop computer.
    heh, silly reporter, calling MM a scary character. he's downright pleasant and genial compared to many other folks i've met at con... even with a large boomstick in his hands.
    "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
    - Trent Reznor

  • #2
    Re: Major Malfunction makes the news again

    Last week I was speaking at a conference at which a representative of the State Department department for the ePassports was speaking as well.

    Short version is that the covers naturally open approximatly 1 inch when layed on a table. A damaged/destroyed RFID tag does not invalidate the passport. The state department won't release the 'independent' NIST test data
    Never drink anything larger than your head!





    Comment


    • #3
      Re: Major Malfunction makes the news again

      Ah I love the government. Makes me wonder how they ever catch any hackers I mean how stupid do you have to be. If the chip says the same thing as the paper then the chip is there what, because people are to lazy to compare the people to the paper. Plus like I said the chip says the same thing as the paper and really all you've got to do is write your own chip using the clone of the original as the blueprint and you've got the encryption right there because you've already broken it. Makes me want to find a government IT guy and club him over the head until he gets some common sense. What kind scares me though is what's going to happen when the government starts censoring what people are allowed to buy guess that means I'm going to have to start making my own equipment again. All I can hope (I'd pray but I'm not religious) is that there's something MM and that German professor missed like a really complicated water mark or something. Ha here's a thought include a really nasty virus on the chip that currupts the computers BIOS and does a couple high level formats

      Almost makes me want to get a passport just to mess with with it.
      Last edited by Rance; November 17, 2006, 21:52.
      There is nothing more dangerous than people with a little knowledge. Which means society is mostly safe.

      Comment


      • #4
        Re: Major Malfunction makes the news again

        It's a HF 13.43 Mhz chip. The specs are all online. The internals are where the voodoo is.

        The crypto relies on a procedure to be 'secure'. The passport gets in proximity and is powered. The MRZ (Machine readable zone, the garbled text stuff at the bottom of the ID page) needs to be scanned into the reader that then barfs out a key to the chip that then 'authorizes' it to dump out the contents (which is the same info as what is on the ID page of the passport)

        The key is made up of easily obtainable and guessable info.

        2 Issues I foresee are:

        1. It took alot of teasing to get the info out, but the tag, when powered, still gives out it's collision avoidance ID (google it), which could be uniquely identifying to the person or nationality (as the speaker pointed out, it's not hard to tell nationality by observation). As locals are unlikely to carry RFID passports, one could make the conjecture that a large density of tags means a number of tourists are nearby, and could signal..... whatever.

        2. Unconfirmed reports are that the photo contained on the passport RFID tag is not defaced. The digital photo printed on the ID card page gets embossed to make sure you can't easily substitute a new photo. The rumor is that the photo on the US passports is *NOT* defaced/embossed, thus giving a crook a pristine phot with which to work.

        You write a book and you learn a few things. Now buy the damn thing at the link below!
        Never drink anything larger than your head!





        Comment


        • #5
          Re: Major Malfunction makes the news again

          Originally posted by Rance View Post
          Ah I love the government. Makes me wonder how they ever catch any hackers I mean how stupid do you have to be. If the chip says the same thing as the paper then the chip is there what, because people are to lazy to compare the people to the paper. Plus like I said the chip says the same thing as the paper and really all you've got to do is write your own chip using the clone of the original as the blueprint and you've got the encryption right there because you've already broken it. Makes me want to find a government IT guy and club him over the head until he gets some common sense. What kind scares me though is what's going to happen when the government starts censoring what people are allowed to buy guess that means I'm going to have to start making my own equipment again. All I can hope (I'd pray but I'm not religious) is that there's something MM and that German professor missed like a really complicated water mark or something. Ha here's a thought include a really nasty virus on the chip that currupts the computers BIOS and does a couple high level formats

          Almost makes me want to get a passport just to mess with with it.
          I agree about the governments ignorance, but you know what they say: ignorance is bliss. By the way about building your own hardware, do you know of any good FREE tutorials? (I'll end up googleing it anyway but I figured I might be able to kill two birds with one stone here.) I also like your idea about the BIOS corrupter and the high level formats it's quite classy. If you put some sort of delay on it you could be on your plane and out of the country before it hit or you could sit and watch as the frustrated worker continues to reboot his/her machine but to no avail.
          Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench. (Gene Spafford)

          Comment


          • #6
            Re: Major Malfunction makes the news again

            Originally posted by renderman
            You write a book and you learn a few things. Now buy the damn thing at the link below!
            You really shouldn't do that renderman. I find it really creepy when someone know what I'm about to do before I do it.
            There is nothing more dangerous than people with a little knowledge. Which means society is mostly safe.

            Comment


            • #7
              Re: Major Malfunction makes the news again

              One of the colleges I work with had an article this week in their campus paper about the new e-passports... There was a quote from the local airport official that stated the advantages of the chip and that it would be "impossible to replicate"

              Comment


              • #8
                Re: Major Malfunction makes the news again

                Correct me if I'm wrong, but don't quite a few members here work for the government's?

                Maybe not some 007 job, but doing things like contracted design work etc..

                Just seems kind of funny that the people with the ability to influence change are criticizing the people with the ability to influence change.

                I'd be interested in seeing a secure system for airports. Not sure if I've ever seen any kind of system that didn't have vulnerabilities, but supposedly they exist.

                Maybe one of the authors who write books on vulnerabilitys in other designs could prove that there is such thing as a secure system one day by designing a system that doesn't have security holes. Then selling the practical system to an international medium, so people the world over can be secure, and not have to worry about anyone finding glitches that are the result of the creators mistakes.

                I'm sorry if I hurt anyones feelings, but it just seems that none of the enlightened people are putting any effort into the defense half of the security spectrum. Could it be that they're scared someone will expose insecurity in there creation's?

                The way people present findings is in the context that they could of done it better. If you made a system where all private data was held in a humans mind you'd have people chasing them around with electrodes, and surgical tools.
                Last edited by VAX_to_PBX; November 19, 2006, 21:46.

                Comment


                • #9
                  Re: Major Malfunction makes the news again

                  Originally posted by VAX_to_PBX View Post
                  Correct me if I'm wrong, but don't quite a few members here work for the government's?

                  Maybe not some 007 job, but doing things like contracted design work etc..

                  Just seems kind of funny that the people with the ability to influence change are criticizing the people with the ability to influence change.

                  I'd be interested in seeing a secure system for airports. Not sure if I've ever seen any kind of system that didn't have vulnerabilities, but operantly they exist.

                  Maybe one of the authors who write books on vulnerability in other designs could prove that there is such thing as a secure system one day.
                  I'd like to correct myself. I don't think that the government is neccesarily ignorant but I think it underestimates its citizens. It's likely that there will be close to or just as many passport frauds as there were before the e-passports.
                  Last edited by patsprou; November 19, 2006, 21:31. Reason: Misspelled word
                  Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench. (Gene Spafford)

                  Comment


                  • #10
                    Re: Major Malfunction makes the news again

                    It doesn't really matter. It's all security through obscurity.

                    If any of the "experts" ever sat down at the metaphorical round table, and designed a system they claimed was totally secure there book sales would drop months later when another "expert" published exploits to vulnerabilities in there system.

                    Just look at how many "uncrackable" encryption algorithms have been demolished over the past 20 years as a result of some mathematician sitting at his bench working out new equations only to stumble upon something that single handedly converts massive amounts of garble to plain text.

                    20 year's from now some newly discovered mathematics are probably going to do the same to quantum cryptography. Just because the logic you know now doesn't effect it doesn't mean what you evolve to know decades from now wont.

                    Saying security is a possibility is the same as claiming to truly understand the universe. I don't care how enlightened you think you are. Most people's self confidence is the product of there short sighted aspirations anyway.
                    Last edited by VAX_to_PBX; November 19, 2006, 22:09.

                    Comment


                    • #11
                      Re: Major Malfunction makes the news again

                      Yeah VAX I see what your saying your saying. Your saying basically if it can be created it can be destroyed right. So (and here i go again shooting my mouth off) maybe we shouldn't rely on one set of encryption but have have a new and random encryption applied every time cause you said it yourself.

                      Originally posted by VAX_to_PBX
                      Just look at how many "uncrackable" encryption algorithms have been demolished over the past 20 years as a result of some mathematician sitting at his bench working out new equations only to stumble upon something that single handily converts massive amounts of garble to plain text.
                      And one of the main rules of a secure password is that it should be changed every 60 days. So what every 60 days(or more depending on how long it takes to recode the new encryption) the encryption should be changed and the old one should be scrapped and replace so people don't have time to crack it? I know it would be a strain and would take a BIG group of mathematicians to do but it's all in the name of security right.
                      There is nothing more dangerous than people with a little knowledge. Which means society is mostly safe.

                      Comment


                      • #12
                        Re: Major Malfunction makes the news again

                        Originally posted by VAX_to_PBX View Post
                        Just seems kind of funny that the people with the ability to influence change are criticizing the people with the ability to influence change.
                        well, peer review and criticism from knowledgeable colleagues and people with ties to the industry is, in my opinion, a better thing than having random outsiders throwing stones and having an array of half-informed or totally ignorant comments from the peanut gallery of the mainstream every time the news does a story about a security vulnerability.

                        however, your comments are very loaded and deserve adequate attention on a more point-by-point basis. i'll try to break things down a bit here and i assume others will have similar thoughts to share, many of which (like my own) will address broad themes which, while they may not be the most exacting fit to your specific points, cut to the core of what we all strive towards... better security for everyone.

                        Originally posted by VAX_to_PBX View Post
                        I'd be interested in seeing a secure system for airports. Not sure if I've ever seen any kind of system that didn't have vulnerabilities, but supposedly they exist.
                        that's a bit of a fallacy there... the notion of a "secure" system in the manner that you describe seems to be a "totally impervious" system... one in which no holes are found, now or anytime in the future. we all know that they do not exist and can not exist. security isn't about eliminating risk, it's about adequately assessing and predicting risk, then mitigating and minimizing said risk.

                        Originally posted by VAX_to_PBX View Post
                        designing a system that doesn't have security holes.
                        there are, in fact, systems that do exist now which can do an absolutely outstanding job of providing physical security in terms of area access and weapons screening... just look at DoD facilities, casinos, etc. however, all this security comes at a cost... there are financial costs of design, implementation, training, etc. there are also non-fiscal "costs" of use in terms of hassles, delays, and general dissatisfaction on the part of the public. you can tell someone that they aren't getting through the doors of the pentagon without passing through various procedures and checkpoints... if they don't like it they don't have to work there. you can't just outright tell airline passengers that they must blindly accept all the delays and intrusions of such a system, however. an 80-year-old grandmother has the right to travel without being subjected to overly-excessive security provisions.

                        Originally posted by VAX_to_PBX View Post
                        selling the practical system ... so people the world over can be secure
                        ah, now here is a whole separate can of worms. designing a security solution is in many ways wholly unrelated to selling said solution and getting it accepted and implemented.

                        realize... there are generally three parties (at a minimum) who are represented in this sort of relationship:

                        1. those who designed a security product/system
                        2. those who are in charge of providing "security"
                        3. those who are subjected to / affected by / allegedly "protected" by said security

                        usually -- indeed... i would say always -- the values and goals of all three parties are not the same.

                        in terms of airport security, designers want to make something that is cheap on paper (so that people will buy it) and even cheaper to produce (so that the designers make a profit)... the people in charge of adopting it want it to be visible more than they want it to be effective (because "security theater" is far better for one's public image than most real security)... and the public is generally split between wanting to "feel" safe but not wanting to have it cost them anything in additional fees or delays during check-in and travel.

                        in my opinion, the biggest problem with security comes down to group #2 in my list above... those in charge of adopting it and implementing it. these people are generally the most conscious of costs (and how to reduce them by cutting every goddamn corner possible) and do everything in their power to keep group #3 misinformed and placated while simultaneously sending the message to everyone in group #1 that designing phony security is a great way to win contracts but designing real security is a great way to wind up out of business.

                        you want my quick and dirty run down of a "highly secure" solution to this one, explicit situation? (air travel) ok, here goes... i highly encourage others to further develop this theme in their own posts.

                        ---- --- -- -[ Deviant's Secure Air Travel System ]- -- ---- ----

                        1. key above all things as follows: prevent the threat of planes being hijacked or blown up in the air. all other concerns are secondary. that means that stopping drug smuggling (or any other smuggling) should get almost zero consideration. airlines should not be in charge of enforcing duty taxes... that's the job of the Customs department. they can figure that shit out themselves.

                        2. travelers should not only have the right to travel anonymously... but ID should never be part of the check-in process. by removing identification we totally eliminate the possibility of "watch lists" or "cleared traveler lists" and any other similar bullshit. such databases are nothing but a means to disrupt the lives of law-abiding citizens while simultaneously being a point of weakness to be potentially exploited (you think terrorists haven't already started to learn what it takes to get on the "trusted traveler list?) assessing whom to subject to additional scrutiny or security screening should be handled both with random checks as well as methods like behavioral profiling and other tecniques which have been shown to be far more advanced and accurate.

                        3. security checkpoints should concern themselves exclusively with keeping items off planes that are actually dangerous to have. liquids, blades, tools, lighters... all of these make almost zero impact in the security equation if they are possessed by passengers in the cabin. i'm alright with firearms being checked and stowed as baggage. potentially explosive compounds (in hazardous amounts) are fine to be excluded from the plane entirely.

                        add up those three points and you can already get warmed up to take a few very powerful swings as a devil's advocate against me...

                        "under your system, osama bin laden could be the passenger seated next to you with a lighter and a box cutter in his pocket and you wouldn't even know it!"

                        yeah, and your point is what, exactly? he can't get into the cockpit because the doors are all (or nearly all) reinforced now and a box cutter won't do shit against steel. he can't bring down the plane, either... what's he gonna do? use his lighter to ignite an airline bottle of Bacardi 151? he can flambée his in-flight meal but he can't blow apart the fuselage.

                        - -- --- ----

                        like i said... this is a very complex issue with a whole lot of multifaceted answers. security isn't about wielding the flaming sword of the almighty, smiting down all those who could ever think to threaten you. security is about avoidance, deterrence, and de-escalation of risk. it's at its best when practiced completely in the open, freely criticized by experts and lay people alike... and without properly defined goals and priorities, anything that someone designs is likely dead on arrival.

                        that's the main reason i feel we are not secure today... so many of our solutions are designed with social control in mind as opposed to risk management. then they are implemented and carried out in secret, with little or no opportunity for people to actually identify and fix what's broken.
                        Last edited by Deviant Ollam; November 19, 2006, 22:35.
                        "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
                        - Trent Reznor

                        Comment


                        • #13
                          Re: Major Malfunction makes the news again

                          Deviant hit the nail on this one quite well, where the security theater becomes more important than the actual security metric.

                          One comment is that by removing the need for ID, everyone is on the same level and treated as the same amount of threat. This means that logic can pervail and you can inspect nervous guy #1 more closely, rather than trying to bar a six month old baby whi's name shows up on some list.

                          Arguements aside, we can all agree that poking holes is easier than designing the whole thing. Problem becomes when complacency and general half assed 'ness comes into play.

                          The current street value of an american passport is about $60-80,000. For a crook to forge and sell 10 passports, that's a buttload of money. It's worth his effort to dump $100K into forgery R&D. Against this kind of well funded adversary, 'good enough' should not enter into the debate. However it seems that it has.

                          The original ICAO specs for biometric passports did not specify contactless chips. They specified the amount of memory, acceptable biometrics, how to store them, etc. but the interface was left to member countries. It was the US that arm twisted other countries into adopting RFID.

                          At the time of the original spec, there were plenty of *contact* based technologies that would have worked but were not selected. Embedded smart chips, ibuttons, and even some more exotics were possible, yet they selected RFID and introduced a whole host of problems they have been trying to patch ever since. With a contact based system, you have no radio leakage and since you have to hand the passport to the border guard anyways, no loss in productivity or effeciency.

                          My quick 'n dirty secure solution:

                          - Smart card chip embedded in the inside back cover
                          - Hand the passport to the border guard who inserts it into a reader
                          - PKI handshake, dump cryptographic signed and encrypted data to terminal
                          - Terminal does decryption (so key never leaves the terminal)
                          - Information is presented on screen for verification against printed info and person
                          - Passport is returned and decrypted info is not stored on the reader/terminal

                          To clone the passport, you would need to take physical posession of the passport to read the info. No radio leakage of information, and depending on how you setup the system, the chips could be upgradable with new crypto and/or keys should the system be comprimised.

                          This system is not unreasonably complex or expensive. It meets ICAO criteria, and is significantly more secure. The tin foil hat side of my brain asks why they did not go further and use a contact system, or use a metal shield that stays closed at the very least. Why was the deployed implementation 'good enough'
                          Never drink anything larger than your head!





                          Comment


                          • #14
                            Re: Major Malfunction makes the news again

                            Originally posted by renderman View Post
                            The tin foil hat side of my brain asks why they did not go further and use a contact system, or use a metal shield that stays closed at the very least. Why was the deployed implementation 'good enough'
                            that sort of questioning is what keeps me up occasionally at night and makes my head ache... for me it comes down to the debate of "are they really that malicious and power mad?" versus "are they really that stupid and cheap?"

                            on the one hand, we have the possibilty that the government intentionally adopts weak security measures (at least as far as protecting citizens is concerned) so that they remain confident in their ability to break them / compromise them / etc. is someone in the DoD or in a shadow department of the executive branch actually contemplating a world where federal monitoring devices are installed in every "Don't Walk" sign which employ high sensitivity RFID technology in order to track and monitor as many citizens as possible? this remains a highly unlikely situation, and it would be one that's rather easy (at least for a skilled subculture like ours) to counteract to one degree or another. but it's the scarier of the two possibilties.

                            on the other hand, we have the possibility that the government is just wildly ignorant of security matters, listening to the testimony and advice of hand-picked appointees as opposed to requesting comments and input from the whole secuirty community. beholden to american firms (and let's face it, you can see how RFID and BlueTooth are two technologies that the western tech sector is heavily pimping these days) the government adopts new systems based on marketing and potential sales dollars to their campaign donors. this scenario is more likely, and perahps less scary (which is worse... ignorance or malice on the part of authority figures?) but is more likely to result in damage, compromise, and increased risk in the short term.
                            "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
                            - Trent Reznor

                            Comment


                            • #15
                              Re: Major Malfunction makes the news again

                              Deviants procedure is compromised when he turns most of the detailed work load over to third party's.

                              Rendermans idea is an good security through obscurity method that is slightly more difficult to intercept than the whole RFID procedure.

                              Even without the RF transponder the chip still emits EMI. The fact that it can execute instructions actually makes it an even bigger threat though. Also smart chips can often be dumped, and cloned.

                              Even though the key is stored in the airport terminal doesn't mean the data is safe. It all depends on the encryption scheme, and how much computing power it'd take to do a good cryptanalysis on the encrypted data. The potential attacker is probably going to have some good resources in the computing department. He/She may even work at a place with a mainframe. I know some of the Pakistanis here in NC that have been through terrorists camp's hold highly privileged positions at Microsoft...just kidding, or am I!?

                              As for the visual data confirmation on screen I'll make a broad reference to the voter machine audits.
                              Last edited by VAX_to_PBX; November 20, 2006, 09:30.

                              Comment

                              Working...
                              X