Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Keep Your Laws Off My Security

Those in government ignore practicalities like breakability or porous security at their peril, and the public's

The more important computer security becomes, the more likely it is to be written into the law of the land. On the face of it, maybe that's a healthy trend. However, technologists may be surprised by how far things can get off track when the law embraces bad security ideas for no apparent reason. It's not always pretty, as security problems with electronic passports and electronic voting clearly demonstrate.

ePassports and the RFID debacle
Since 2001, the U.S. government has been working on standardizing passports so they would be machine readable. One thread of the effort concentrates on embedding an RFID chip into passports so they can be scanned remotely. From the time that the RFID passport was proposed, security experts fretted over the privacy and security implications of this technology choice. The main problem is any RFID reader can be used to ping the chip and read the data that it has stored on it.

Privacy implications are obvious: You could scan a crowd for Americans (or even for Texans), collect names and birthdates, and any number of other privacy-invading activities. One particularly nasty scenario suggested that a terrorist bomb could be programmed to set itself off only when enough Americans were in range. Personalization in munitions sounds like a bad trend straight out of "Dune."

Regardless of the criticism surrounding ePassports, the government forged ahead, citing as justification a completely fallacious "fact" that passports would need to be placed within 10 centimeters of a reader in order for the data to be scanned. Sound familiar? Anybody remember when some people thought that WiFi access point signals were detectable from only a few hundred feet away or closer? That was before hackers hit on the idea of hooking a powerful antenna up to the WiFi card on a PC and doing some war driving. Then came Bluetooth sniping across a crowded tube station. Now it's RFID pickpocketing.

In all of these cases, nobody listened to the technologists. This is an all-too-common problem when it comes to the government, as Princeton professor and famous blogger Ed Felten emphasized recently in an interview for my Silver Bullet Security Podcast, "There's a dangerous syndrome we can get into where we try to keep ourselves from understanding how our systems can fail rather than keeping them from failing. You see this all over the place. You see it in security and a lot in e-voting, where it seems like sometimes the goal of some people is to prevent finding out about problems rather than to prevent problems."

Security problems with RFID chips were publicized by security experts years ago. Among the first to raise the alarm were Johns Hopkins professor Avi Rubin and his grad students in a study of the Texas Instruments DST RFID built into vehicle immobilizers and ExxonMobil Speedpass devices. The Hopkins RFID crack went beyond simple snooping to involve breaking a cryptographic cipher meant to keep the data private. Using a PC and a special cracker that they built, the Hopkins researchers could buy gas on someone else's dime, steal cars without a key, and other really not very nice things way back in January 2005.

RFID security is in the news again due to a recent flurry of publicity from Blackhat. A German hacker who goes by the handle Grunwald claims to have been able to clone passport RFID chips with two weeks of concerted effort. He started his attack by reading the open International Civil Aviation Organization standards documents explaining how the chips work. He then procured a reader/writer and proceeded to demonstrate his attack successfully for Wired magazine.

Don't believe government officials when they claim we didn't tell them this was going to happen. We did.

Electronic Voting
A very similar problem crops up in electronic voting, which is bound to draw a flurry of attention now that the midterm elections are at hand. For years, top computer scientists have challenged the security of current electronic voting systems.

Once again at the forefront is Avi Rubin whose e-voting security work has been covered by CNN, NPR, and 60 Minutes. Rubin is the calm in the eye of the security hurricane surrounding Diebold voting machines. In his new book Brave New Ballot, he describes what it is like to be under attack for simply trying to tell the truth about how security technology does and does not work.

Once again, security experts are warning of trouble, and once again the government doesn't seem to be listening. It's time that those of us in the know did something about it.

Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9385
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
CVE-2020-9382
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
CVE-2020-1938
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...
CVE-2020-9381
PUBLISHED: 2020-02-24
controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.
CVE-2019-17569
PUBLISHED: 2020-02-24
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind...