Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Keep Your Laws Off My Security

Those in government ignore practicalities like breakability or porous security at their peril, and the public's

The more important computer security becomes, the more likely it is to be written into the law of the land. On the face of it, maybe that's a healthy trend. However, technologists may be surprised by how far things can get off track when the law embraces bad security ideas for no apparent reason. It's not always pretty, as security problems with electronic passports and electronic voting clearly demonstrate.

ePassports and the RFID debacle
Since 2001, the U.S. government has been working on standardizing passports so they would be machine readable. One thread of the effort concentrates on embedding an RFID chip into passports so they can be scanned remotely. From the time that the RFID passport was proposed, security experts fretted over the privacy and security implications of this technology choice. The main problem is any RFID reader can be used to ping the chip and read the data that it has stored on it.

Privacy implications are obvious: You could scan a crowd for Americans (or even for Texans), collect names and birthdates, and any number of other privacy-invading activities. One particularly nasty scenario suggested that a terrorist bomb could be programmed to set itself off only when enough Americans were in range. Personalization in munitions sounds like a bad trend straight out of "Dune."

Regardless of the criticism surrounding ePassports, the government forged ahead, citing as justification a completely fallacious "fact" that passports would need to be placed within 10 centimeters of a reader in order for the data to be scanned. Sound familiar? Anybody remember when some people thought that WiFi access point signals were detectable from only a few hundred feet away or closer? That was before hackers hit on the idea of hooking a powerful antenna up to the WiFi card on a PC and doing some war driving. Then came Bluetooth sniping across a crowded tube station. Now it's RFID pickpocketing.

In all of these cases, nobody listened to the technologists. This is an all-too-common problem when it comes to the government, as Princeton professor and famous blogger Ed Felten emphasized recently in an interview for my Silver Bullet Security Podcast, "There's a dangerous syndrome we can get into where we try to keep ourselves from understanding how our systems can fail rather than keeping them from failing. You see this all over the place. You see it in security and a lot in e-voting, where it seems like sometimes the goal of some people is to prevent finding out about problems rather than to prevent problems."

Security problems with RFID chips were publicized by security experts years ago. Among the first to raise the alarm were Johns Hopkins professor Avi Rubin and his grad students in a study of the Texas Instruments DST RFID built into vehicle immobilizers and ExxonMobil Speedpass devices. The Hopkins RFID crack went beyond simple snooping to involve breaking a cryptographic cipher meant to keep the data private. Using a PC and a special cracker that they built, the Hopkins researchers could buy gas on someone else's dime, steal cars without a key, and other really not very nice things way back in January 2005.

RFID security is in the news again due to a recent flurry of publicity from Blackhat. A German hacker who goes by the handle Grunwald claims to have been able to clone passport RFID chips with two weeks of concerted effort. He started his attack by reading the open International Civil Aviation Organization standards documents explaining how the chips work. He then procured a reader/writer and proceeded to demonstrate his attack successfully for Wired magazine.

Don't believe government officials when they claim we didn't tell them this was going to happen. We did.

Electronic Voting
A very similar problem crops up in electronic voting, which is bound to draw a flurry of attention now that the midterm elections are at hand. For years, top computer scientists have challenged the security of current electronic voting systems.

Once again at the forefront is Avi Rubin whose e-voting security work has been covered by CNN, NPR, and 60 Minutes. Rubin is the calm in the eye of the security hurricane surrounding Diebold voting machines. In his new book Brave New Ballot, he describes what it is like to be under attack for simply trying to tell the truth about how security technology does and does not work.

Once again, security experts are warning of trouble, and once again the government doesn't seem to be listening. It's time that those of us in the know did something about it.

Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11559
PUBLISHED: 2019-09-17
A reflected Cross-site scripting (XSS) vulnerability in HRworks V 1.16.1 allows remote attackers to inject arbitrary web script or HTML via the URL parameter to the Login component.
CVE-2019-15729
PUBLISHED: 2019-09-17
An issue was discovered in GitLab Community and Enterprise Edition 8.18 through 12.2.1. An internal endpoint unintentionally disclosed information about the last pipeline that ran for a merge request.
CVE-2016-10983
PUBLISHED: 2019-09-17
The ghost plugin before 0.5.6 for WordPress has no access control for wp-admin/tools.php?ghostexport=true downloads of exported data.
CVE-2016-10984
PUBLISHED: 2019-09-17
The echosign plugin before 1.2 for WordPress has XSS via the inc.php page parameter.
CVE-2016-10985
PUBLISHED: 2019-09-17
The echosign plugin before 1.2 for WordPress has XSS via the templates/add_templates.php id parameter.