Risk

9/7/2006
01:10 AM
50%
50%

Keep Your Laws Off My Security

Those in government ignore practicalities like breakability or porous security at their peril, and the public's

The more important computer security becomes, the more likely it is to be written into the law of the land. On the face of it, maybe that's a healthy trend. However, technologists may be surprised by how far things can get off track when the law embraces bad security ideas for no apparent reason. It's not always pretty, as security problems with electronic passports and electronic voting clearly demonstrate.

ePassports and the RFID debacle
Since 2001, the U.S. government has been working on standardizing passports so they would be machine readable. One thread of the effort concentrates on embedding an RFID chip into passports so they can be scanned remotely. From the time that the RFID passport was proposed, security experts fretted over the privacy and security implications of this technology choice. The main problem is any RFID reader can be used to ping the chip and read the data that it has stored on it.

Privacy implications are obvious: You could scan a crowd for Americans (or even for Texans), collect names and birthdates, and any number of other privacy-invading activities. One particularly nasty scenario suggested that a terrorist bomb could be programmed to set itself off only when enough Americans were in range. Personalization in munitions sounds like a bad trend straight out of "Dune."

Regardless of the criticism surrounding ePassports, the government forged ahead, citing as justification a completely fallacious "fact" that passports would need to be placed within 10 centimeters of a reader in order for the data to be scanned. Sound familiar? Anybody remember when some people thought that WiFi access point signals were detectable from only a few hundred feet away or closer? That was before hackers hit on the idea of hooking a powerful antenna up to the WiFi card on a PC and doing some war driving. Then came Bluetooth sniping across a crowded tube station. Now it's RFID pickpocketing.

In all of these cases, nobody listened to the technologists. This is an all-too-common problem when it comes to the government, as Princeton professor and famous blogger Ed Felten emphasized recently in an interview for my Silver Bullet Security Podcast, "There's a dangerous syndrome we can get into where we try to keep ourselves from understanding how our systems can fail rather than keeping them from failing. You see this all over the place. You see it in security and a lot in e-voting, where it seems like sometimes the goal of some people is to prevent finding out about problems rather than to prevent problems."

Security problems with RFID chips were publicized by security experts years ago. Among the first to raise the alarm were Johns Hopkins professor Avi Rubin and his grad students in a study of the Texas Instruments DST RFID built into vehicle immobilizers and ExxonMobil Speedpass devices. The Hopkins RFID crack went beyond simple snooping to involve breaking a cryptographic cipher meant to keep the data private. Using a PC and a special cracker that they built, the Hopkins researchers could buy gas on someone else's dime, steal cars without a key, and other really not very nice things way back in January 2005.

RFID security is in the news again due to a recent flurry of publicity from Blackhat. A German hacker who goes by the handle Grunwald claims to have been able to clone passport RFID chips with two weeks of concerted effort. He started his attack by reading the open International Civil Aviation Organization standards documents explaining how the chips work. He then procured a reader/writer and proceeded to demonstrate his attack successfully for Wired magazine.

Don't believe government officials when they claim we didn't tell them this was going to happen. We did.

Electronic Voting
A very similar problem crops up in electronic voting, which is bound to draw a flurry of attention now that the midterm elections are at hand. For years, top computer scientists have challenged the security of current electronic voting systems.

Once again at the forefront is Avi Rubin whose e-voting security work has been covered by CNN, NPR, and 60 Minutes. Rubin is the calm in the eye of the security hurricane surrounding Diebold voting machines. In his new book Brave New Ballot, he describes what it is like to be under attack for simply trying to tell the truth about how security technology does and does not work.

Once again, security experts are warning of trouble, and once again the government doesn't seem to be listening. It's time that those of us in the know did something about it.

Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20201
PUBLISHED: 2018-12-18
There is a stack-based buffer over-read in the jsfNameFromString function of jsflash.c in Espruino 2V00, leading to a denial of service or possibly unspecified other impact via a crafted js file.
CVE-2018-20194
PUBLISHED: 2018-12-18
There is a stack-based buffer underflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because limiting the additional noise energy l...
CVE-2018-20195
PUBLISHED: 2018-12-18
A NULL pointer dereference was discovered in ic_predict of libfaad/ic_predict.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2018-20196
PUBLISHED: 2018-12-18
There is a stack-based buffer overflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because the S_M array is mishandled.
CVE-2018-20197
PUBLISHED: 2018-12-18
There is a stack-based buffer underflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because limiting the additional noise energy l...