Risk
9/7/2006
01:10 AM
50%
50%

Keep Your Laws Off My Security

Those in government ignore practicalities like breakability or porous security at their peril, and the public's

The more important computer security becomes, the more likely it is to be written into the law of the land. On the face of it, maybe that's a healthy trend. However, technologists may be surprised by how far things can get off track when the law embraces bad security ideas for no apparent reason. It's not always pretty, as security problems with electronic passports and electronic voting clearly demonstrate.

ePassports and the RFID debacle
Since 2001, the U.S. government has been working on standardizing passports so they would be machine readable. One thread of the effort concentrates on embedding an RFID chip into passports so they can be scanned remotely. From the time that the RFID passport was proposed, security experts fretted over the privacy and security implications of this technology choice. The main problem is any RFID reader can be used to ping the chip and read the data that it has stored on it.

Privacy implications are obvious: You could scan a crowd for Americans (or even for Texans), collect names and birthdates, and any number of other privacy-invading activities. One particularly nasty scenario suggested that a terrorist bomb could be programmed to set itself off only when enough Americans were in range. Personalization in munitions sounds like a bad trend straight out of "Dune."

Regardless of the criticism surrounding ePassports, the government forged ahead, citing as justification a completely fallacious "fact" that passports would need to be placed within 10 centimeters of a reader in order for the data to be scanned. Sound familiar? Anybody remember when some people thought that WiFi access point signals were detectable from only a few hundred feet away or closer? That was before hackers hit on the idea of hooking a powerful antenna up to the WiFi card on a PC and doing some war driving. Then came Bluetooth sniping across a crowded tube station. Now it's RFID pickpocketing.

In all of these cases, nobody listened to the technologists. This is an all-too-common problem when it comes to the government, as Princeton professor and famous blogger Ed Felten emphasized recently in an interview for my Silver Bullet Security Podcast, "There's a dangerous syndrome we can get into where we try to keep ourselves from understanding how our systems can fail rather than keeping them from failing. You see this all over the place. You see it in security and a lot in e-voting, where it seems like sometimes the goal of some people is to prevent finding out about problems rather than to prevent problems."

Security problems with RFID chips were publicized by security experts years ago. Among the first to raise the alarm were Johns Hopkins professor Avi Rubin and his grad students in a study of the Texas Instruments DST RFID built into vehicle immobilizers and ExxonMobil Speedpass devices. The Hopkins RFID crack went beyond simple snooping to involve breaking a cryptographic cipher meant to keep the data private. Using a PC and a special cracker that they built, the Hopkins researchers could buy gas on someone else's dime, steal cars without a key, and other really not very nice things way back in January 2005.

RFID security is in the news again due to a recent flurry of publicity from Blackhat. A German hacker who goes by the handle Grunwald claims to have been able to clone passport RFID chips with two weeks of concerted effort. He started his attack by reading the open International Civil Aviation Organization standards documents explaining how the chips work. He then procured a reader/writer and proceeded to demonstrate his attack successfully for Wired magazine.

Don't believe government officials when they claim we didn't tell them this was going to happen. We did.

Electronic Voting
A very similar problem crops up in electronic voting, which is bound to draw a flurry of attention now that the midterm elections are at hand. For years, top computer scientists have challenged the security of current electronic voting systems.

Once again at the forefront is Avi Rubin whose e-voting security work has been covered by CNN, NPR, and 60 Minutes. Rubin is the calm in the eye of the security hurricane surrounding Diebold voting machines. In his new book Brave New Ballot, he describes what it is like to be under attack for simply trying to tell the truth about how security technology does and does not work.

Once again, security experts are warning of trouble, and once again the government doesn't seem to be listening. It's time that those of us in the know did something about it.

Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Secure Wifi Hijacked by KRACK Vulns in WPA2
Jai Vijayan, Freelance writer,  10/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.