Risk

Keep Your Laws Off My Security

Those in government ignore practicalities like breakability or porous security at their peril, and the public's

The more important computer security becomes, the more likely it is to be written into the law of the land. On the face of it, maybe that's a healthy trend. However, technologists may be surprised by how far things can get off track when the law embraces bad security ideas for no apparent reason. It's not always pretty, as security problems with electronic passports and electronic voting clearly demonstrate.

ePassports and the RFID debacle
Since 2001, the U.S. government has been working on standardizing passports so they would be machine readable. One thread of the effort concentrates on embedding an RFID chip into passports so they can be scanned remotely. From the time that the RFID passport was proposed, security experts fretted over the privacy and security implications of this technology choice. The main problem is any RFID reader can be used to ping the chip and read the data that it has stored on it.

Privacy implications are obvious: You could scan a crowd for Americans (or even for Texans), collect names and birthdates, and any number of other privacy-invading activities. One particularly nasty scenario suggested that a terrorist bomb could be programmed to set itself off only when enough Americans were in range. Personalization in munitions sounds like a bad trend straight out of "Dune."

Regardless of the criticism surrounding ePassports, the government forged ahead, citing as justification a completely fallacious "fact" that passports would need to be placed within 10 centimeters of a reader in order for the data to be scanned. Sound familiar? Anybody remember when some people thought that WiFi access point signals were detectable from only a few hundred feet away or closer? That was before hackers hit on the idea of hooking a powerful antenna up to the WiFi card on a PC and doing some war driving. Then came Bluetooth sniping across a crowded tube station. Now it's RFID pickpocketing.

In all of these cases, nobody listened to the technologists. This is an all-too-common problem when it comes to the government, as Princeton professor and famous blogger Ed Felten emphasized recently in an interview for my Silver Bullet Security Podcast, "There's a dangerous syndrome we can get into where we try to keep ourselves from understanding how our systems can fail rather than keeping them from failing. You see this all over the place. You see it in security and a lot in e-voting, where it seems like sometimes the goal of some people is to prevent finding out about problems rather than to prevent problems."

Security problems with RFID chips were publicized by security experts years ago. Among the first to raise the alarm were Johns Hopkins professor Avi Rubin and his grad students in a study of the Texas Instruments DST RFID built into vehicle immobilizers and ExxonMobil Speedpass devices. The Hopkins RFID crack went beyond simple snooping to involve breaking a cryptographic cipher meant to keep the data private. Using a PC and a special cracker that they built, the Hopkins researchers could buy gas on someone else's dime, steal cars without a key, and other really not very nice things way back in January 2005.

RFID security is in the news again due to a recent flurry of publicity from Blackhat. A German hacker who goes by the handle Grunwald claims to have been able to clone passport RFID chips with two weeks of concerted effort. He started his attack by reading the open International Civil Aviation Organization standards documents explaining how the chips work. He then procured a reader/writer and proceeded to demonstrate his attack successfully for Wired magazine.

Don't believe government officials when they claim we didn't tell them this was going to happen. We did.

Electronic Voting
A very similar problem crops up in electronic voting, which is bound to draw a flurry of attention now that the midterm elections are at hand. For years, top computer scientists have challenged the security of current electronic voting systems.

Once again at the forefront is Avi Rubin whose e-voting security work has been covered by CNN, NPR, and 60 Minutes. Rubin is the calm in the eye of the security hurricane surrounding Diebold voting machines. In his new book Brave New Ballot, he describes what it is like to be under attack for simply trying to tell the truth about how security technology does and does not work.

Once again, security experts are warning of trouble, and once again the government doesn't seem to be listening. It's time that those of us in the know did something about it.

Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9978
PUBLISHED: 2019-03-24
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
CVE-2019-9977
PUBLISHED: 2019-03-24
The renderer process in the entertainment system on Tesla Model 3 vehicles mishandles JIT compilation, which allows attackers to trigger firmware code execution, and display a crafted message to vehicle occupants.
CVE-2019-9962
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to VCRUNTIME140!memcpy.
CVE-2019-9963
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlFreeHeap.
CVE-2019-9964
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlpNtMakeTemporaryKey.