Archive for the ‘hackers’ Category

BTC- It happened to me.  I was hacked and for good reasons.

This summer I moved into a new building in the wealthy, surveillance laden town of Bellvue, Washington.  It is home to much of what Microsoft is known for today.  The move itself was a compromise with my sometimes privacy-deaf significant other, so he could save hundreds of hours in traffic and gas.

My misery quickly compounded when I realized, only after receiving the keys to my new digs, that every elevator ride and doorway entry was dependent on an activated and encrypted HID brand “key fobb”.  The rental administrators, cheerful and accomodating birds of a feather, expressed enthusiasm  over the RFID tote as a posh security amenity. In the days to follow, I became relentlessly irritable, crabbing at every movement based on a requirement that I use the damned RFID device.  All of my new acquaintances heard my exasperation.

Misery proved desperate for company, as I dragged a local activist to the downtown area after attending an ACLU legal education series on government surveillance of non-criminal activity.  I wanted him to see exactly how prolific the CCTV surveillance had become.

“I really don’t like it here and I don’t want to be here,” my guest said after rolling through intersection after intersection containing 2 real time CCTV cameras, a scattershot detector and some ugly speed radar equipment.  If you couldn’t make the case for a government audit based on waste detection, you could make the case for sheer urban blight.

The first time I noticed the cameras weren’t limited to intersections, I was shopping with my partner at Whole Foods.  As we wheeled the grocery cart to the back of the trunk,  our attentions were suddenly diverted.  A large ruffled crow was sounding off loudly after landing atop a city CCTV camera in the far corner of the parking lot. It was a creepy goad, galvanizing my resolve to not let Big Bro. get me down and to lend an effort to make a difference.

As we returned home, I was quickly reminded that an RFID record was created as I  entered the elevator at 2:30 PM at the 1st floor of the garage and then pushed the up button to my floor at 2:31PM.  If that wasn’t enough, there was a dome-camera watching  my partner and I cart our groceries into the foyer while waiting on the elevator.

This was fast becoming my life and it was driving me crazy.

I went to the HID website searching for my key fobb product when I came across their governance contracts and contributions to the UAE’s national ID program and a nice fat endorsement of the NSTIC program.  A matter of hours later, I irritably waited for my webmail to load in Internet Explorer and tried not to dissolve into a puddle in the middle of the business center.  A short time later  a man seated himself next to me and  introduced himself as a DHS bomb detection worker.  He proceeded to try to bait me in conversation with neat questions like, “So you think the agency should just be disbanded, huh?” and other greatest hits like, “So you would be okay with letting our guard down and people bombing this country, huh?” and “Who do you work for?”

I didn’t actually answer these questions.   I just stared at him in wonder, at how close this all seemed to some sort of lucid collaborative harassment.  Could it be that someone was busy writing a SAR in anticipation of what I *might* do as an activist in the Seattle Metro area? Seattle, WA was the one of the initial pilot locations of the model Fusion Center.  My mention of certain TSA workers’ cancer affliction due to airport Rapiscan equipment made for a convenient end to our conversation.

THE ADVOCATES AT BLACK HAT

Some connections with dotRights campaigners and members of the active medical marijuana community assisted me in my quest for soul survival in what seemed like digital snakes nest for a privacy & civil liberty proponent.  Some of them would be making a pilgrimage to the Defcon/Black Hat Conference.   As it turns out Black Hat, the beaming intellect of the hacker conferences, was based in Seattle too.

In the days to follow, privacy advocates aired grievances during the Black Hat conference over Facebook’s cardinal sins against privacy: arbitrary data retention, open face delivery to federal and corporate surveillance authorities, biometric captures and intrusions unearthing users most sensitive information, like Social Security Numbers.  Our contribution was an interview with an app developer for Obscuracam, where we re-discovered the Big Web problem of social media profiling by prospective employers. Follow up reports from NPR revealed, social media research firms have been contracted by HR departments to dig up anything you have posted to social networks in the last 7 years.   [Pssst.  Use AccountKiller.com to clean up your mess now!]

Another late development following the conference was the rise and fall of Anonymous’ Facebook Op.  The 10 month old campaign railed against Facebook’s International crimes against the user privacy in this video release.  Amid their other damning claims was Facebook’s involvement in trading activist profile information with authoritarian governments for purposes of targeting in Egypt and abroad.

The conference ended over the August 6th weekend.  And the people rested on Monday and Tuesday and part of Wednesday even…

WHEN SOMEONE DEACTIVATES YOUR RFID TAG….

I tend to hole up in my home, reporting, watchdogging without leaving for days.  I left my home on a Thursday afternoon and boarded the elevator.   I posted my HID key fobb to the door panel.  It glowered red and took me for a ride to the basement. Again- to the right corner was your friendly-fascist dome cam to greet me.

A nice Indo-Asian couple and their young son boarded the elevator and recommended that I just try using my key fobb a different way.  Following their advice to get to the rooftop, I took the stairs for exercise.  As I got to the top, my key fobb didn’t work, glowing a nice red -NO- to my entry at the roof.  I figured this was fluke.

It wasn’t.  I quickly learned I was trapped in the stairwell and unless I reached the ground floor of the building I would not be able to get out.  This was the certain taste of what it would be like to be suddenly cut off  from access in a heavily RFID dependent building.

I made haste to get down to the bottom of the building.  I went outside to test my key and had to have help from another tenant to regain entry.  My key fobb was not working.   I tried the mercies of  a gentleman coming through the doorway.

I quickly explained my distress over the electronic key malfunction and the close of the leasing office for the day.  I didn’t have my phone with me to call for help.

He worked for Microsoft- how could he deny me technical support?  We worked together to get on the phone with the building’s after hours service.  We retrieved the emergency number online and moved onto the next hurdle.

As a new neighbor, he successfully assured me he wasn’t a serial killer and accompanied me to his new home to retrieve his cell phone.   He didn’t yet have land line service.   As I milled around the couches  in partially furnished living space,  I came across interesting books, The True Believer: Thoughts on the Nature of Mass Movements and a yellowed paperback of Atlas Shrugged.  I could count my blessings,  I was in good company.

The leasing manager was then added to our conversation.  She asked me to provide my key fobb number.

LM:”Did you do anything to your key fobb?” 

Me: “No.”

LM: “It’s not coming up! What did you do to your key fobb?”

BE CAREFUL WHAT YOU WISH FOR…

I agreed to meet the building manager immediately downstairs in the Leasing Office to figure out what went wrong.   I handed her my keys and she punched in the numbers of the key fobb device.

LM: “You’re not in here.  I’ve checked 5 times.  You are completely gone.   I can’t find your name.  I can’t find anything! It’s gone. There’s no record of you in this system.”

Me: “Whoever did this knows me pretty well.”

I sighed, realizing my incessant complaining about the RFID dependent use in the building, may have reached the ears of some pranking, friendly hacker sprites.   It was a neat trick but scary for the leasing office because they discovered a systemic vulnerability which needed professional casing.

I finally explained there are 4 types of hackers: basement hackers, corporate penetration testers,  the feds and vigilante hackers, like Anonymous.   She should probably look into a corporate hacking remedy to shore up the holes in their system.

I was given an pseudonym account with a different key fobb.  Nowadays,  I can get around the building and no one really knows it’s me.  If the lights go down, I will know how to exit the building safely.

With the bulk of privacy battles still in front of me, this relief was as much welcome, as it was mildly unnerving.  It might be tough to say I am uninitiated to the pranks and benefits of the hacker community.

This blog will be my only way to thank them for their backhanded brand of help from the digital underground.

But I will look into the sunset from now on and wonder,  who was that anonymous hacker who helped me beat my chip?!

Advertisements

BTC –CNET’s Declan McCullagh and Elinor Mills discuss breaking news filtering out from annual federal-private hacker conferences Defcon & Black Hat. The Reporter’s Roundtable converges about Operation Shady Rat, private robotic drones, the relevance of Smart Meters, facebook’s facial recognition technology risks in social networking and how Apple batteries and medical insulin implants can be hacked.

SEE ALSO: AntiSec hackers post stolen police data as revenge for arrests

BTC – Internal fraud and vulnerability to hacks is an ongoing problem across the nation. This has not been a good week for secured identity solutions entrusted to government or public databases. Try as you may, the blame does not lie on the immigrant but the operators and users of less secure technologies.

DMV Worker, State Trooper Charged In Bribery, ID Fraud Case

CONCORD, N.H. — WMUR

Seven people — including a state trooper and an employee of the Division of Motor Vehicles — have been charged in connection with a bribery and identity fraud scheme that allowed illegal immigrants to get driver’s licenses, the attorney general’s office said Wednesday.

Denver’s website hacked twice in one week

The city and county of Denver website was pulled down Monday night after it was hacked, the second such attack in a week.

Hackers, peer-to-peer networks, human error all threaten health data security

“I spend about $1 million a year just protecting the Beth Israel Deaconess [hospital] records against the nefarious Internet. We’re attacked every seven seconds, 24 hours a day, seven days a week,” Halamka says in an interview with Bio-IT World. “Half of the attacks come from Eastern Europe; half of the attacks come from Eastern Cambridge [Mass.]. Every September, 1,200 new hackers arrive–they’re called freshmen!”

BTC – This blog’s hosting technology goes through Google. This lead came in from friend of the blog, JP of NCard who sends us stuff all the time. He’s a long time, sure footed opponent of the National ID card.

“The hackers got access to the coding in the password system that controls millions of users’ access to many Google services.”


A vast amount of info in one place
c/o  StarTribune.com 

The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google’s that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in one place, a single breach can lead to disastrous losses.


The theft began with a single instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition he not be identified. ::: MORE HERE:::

BlogTalkRadio broadcasts repeatedly compromised, suffered from repeated DeLays

“This was by far, the most obvious outside attempt to maliciously pre-empt us in the program’s history. Based on where our program was rerouted it appears politically motivated by those entertained by neo-conservative talk.”WakingUpOrwell

3/29/10 -11:00 PM PST – We’ve just discovered the copy of our lost program. The show sounds a lot like a recording of someone running on foot during the Blair Witch Project while reading news. It looks like the information available on BlogTalkRadio is consistent with what happened Thursday. We are still not going back… give today so we can keep the show alive.
BTC – Waking Up Orwell, BeatTheChip.org’s regular weekly radio news magazine, has been compromised for the 3rd time in its history of airing on BlogTalkRadio. The show was interrupted by an aggressive hack.
The hack preempted the airing of an interview with the Electronic Frontier Foundation’s FOIA counsel, Lee Tien who explained their findings about FBI intrusions on social networks like Facebook and BlogTalkRadio.com. The hack consisted of successive browser crashing to interrupt media uploads, account episode deletions and disparity between the front end display of the episode and oustide interference with the host’s back end capability to view, acknowledge or operate the engineering ports of a rescheduled episode.
“We sincerely apologize to regular listeners who expected to hear the scheduled programming. Unfortunately, we cannot reconcile the repeated attempts to hack our accounts with BlogTalkRadio.com and are actively seeking a new radio home for our weekly program. I did all I could do today to air the program,” says Sheila Dean, host, producer and engineer for the dystopian news program.
What audience members witnessed at airtime was a non-aired episode scheduled late at 11AM CST featuring the EFF speaker. What the host-engineer saw was a prompt saying, “There are no shows that can be scheduled 3/25/10”. Dean published her technical difficulties using Twitter until the 11 AM CST airtime. She dialed into the BlogTalkRadio host mainframe using the caller code and later spoke for over 30 minutes. The broadcast was never heard. Operating browsers from her MacNotebook crashed repeatedly, interfering uploads of the pre-recorded media and back end access to host tools were rerouted to another webpage.
Dean first noticed problems with excessively slow access to her account. She restarted her computer and logged back into her user account. She then discovered her scheduled episode was deleted. BlogTalkRadio, in a reply to service the account said that only a person with access to the account could have deleted the program and that “it could not be done from our end.” The episode was submitted to BlogTalkRadio’s PR department for promotion earlier in the week.
In an EFFort to continue to air the radio program another episode was immediately scheduled to air at 11AM CST. Soon to follow Dean experienced interruptions and disparities consisting of successive browser crashes minutes before airtime after logging into her account. Dean mitigated this by switching to another PC right before airtime. She then logged into BlogTalkRadio.com’s online account to produce Waking Up Orwell as scheduled. The Internet Explorer browser then repeatedly rerouted Dean to another newscast featuring Tom DeLay on BlogTalkRadio.com and refusing her user access to her account.
“This was by far, the most obvious outside attempt to maliciously pre-empt us in the program’s history. Based on where our program was rerouted it appears politically motivated by those entertained by neo-conservative talk,” said Dean, producer of WakingUpOrwell.
WakingUpOrwell, often features controversial news specific to privacy and promotes involvement of citizens in affairs which directly affect American civil liberty. Dean’s broadcasts feature staunch criticisms of current government policies governing citizens rights and national security. While she was dissappointed in her inability to air the program, she is optimistic about funding for a new online and terrestrial home for her popularizing program.
BlogTalkRadio.com’s technical staff claim no culpability in the hacking attempts from their end.


Ultimately, Michael Holly, chief of consular affairs/international affairs at the U.S. Department of State, says Chris Paget’s interception of the passport card’s data is no reason for concern.

“Mr. Paget actually was doing nothing more than what we intended to have happen…the card, if powered by a reader, will give off the ID number, which is simply a pointer to the data that we share with the Department of Homeland Security,” he says.


[BTC Comment – Is the State Department’s job to make egregious hacks look like it was all their idea and that they have everything under control?

I guess the more important question to ask is: are you in control of your identity and where your private information lands due to RFID deployment?

If you are confident RFID is insecure you reserve the right to demand more privacy provisions, especially if it’s a legal mandate and you are required to pay for it.]

RFID Passport Tags Save Time, Risk Privacy
By Jeff Goldman

c/o WiFi Planet

The presence of an RFID tag in U.S. passport cards has raised privacy concerns, but government officials insist the technology is safe–and that the efficiency it adds at land borders is worth the risk.

By the time WHTI went into effect on June 1st of this year, requiring Americans to present passport books, passport cards, or EDLs when crossing land borders into the United States, over a million RFID-enhanced passport cards had already been issued. While WHTI itself isn’t new, its implementation for land borders was delayed two years ago in order to allow for further testing of passport card technology.

It’s important to note that there’s a key difference between e-passports(passport books) and passport cards. While passport cards use vicinity RFID (EPC Gen 2) technology, which can be read at distances of up to 30 feet, e-passports use ISO 14443 contactless smart card tech with a read range of a few inches. To compensate for their readibility (and therefore hackability) at a distance, passport cards only transmit an ID number that relates back to information stored in a secure central database, while e-passports store and transmit much more detailed information about the passport holder.

According to Randy Vanderhoof, executive director of the Smart Card Alliance, that difference was key to the selection of the two technologies. “The electronic passport was built knowing that it was going to store secure information like a person’s name, city of issuance, passport number, image of the person… and therefore they chose a more secure chip technology to protect that information—whereas the passport card was designed to be a static identifier to a central database, with no personal information stored in the chip itself,” he says.

Vanderhoof contends that the government’s decision to use the longer-range EPC Gen 2 technology in passport cards was a mistake. “The decision to trade speed over security and privacy, I think, was a poor decision on the part of the program managers under WHTI—but they repeatedly defended the decision because of the traffic flows through the land borders and the fact that they needed something that could be read from great distances,” he says.

Still, Paul Hunter, technical lead for the Western Hemisphere Travel Initiative at U.S. Customs and Border Protection, insists that the time savings provided by the passport cards are considerable. “We can actually read the documents as they’re approaching the booth…which means, instead of handing a document to an officer and him swiping it or manually typing in data, the data’s already there, and now he can focus on the person, and he can focus on the conveyance…it saves six to eight seconds per person,” he says.

And at a land border, Hunter says, time is of the essence. “We’re talking over 100 million crossings a year,” he says. “Those six to eight seconds actually are very significant. We’ve done time and motion studies where we’ve actually measured the time it takes to take the document, to bring it into the booth, to either manually type or swipe and then wait for the results—and if you eliminate all that, you are actually on average saving between six to eight seconds.”

What’s more, Hunter says, the same technology has already been in use for over ten years in the government’s SENTRI and NEXUStrusted traveler programs. “And we have not had one reported incident of somebody skimming that data and using it for nefarious purposes…the reality is, it’s just a number,” he says. “And we further mitigate that by making sure the data that’s associated with that is in a secure back-end database.”

Ultimately, Michael Holly, chief of consular affairs/international affairs at the U.S. Department of State, says Chris Paget’s interception of the passport card’s data is no reason for concern. “Mr. Paget actually was doing nothing more than what we intended to have happen…the card, if powered by a reader, will give off the ID number, which is simply a pointer to the data that we share with theDepartment of Homeland Security,” he says.

But Paget himself, now president and CTO of the security research firm H4RDW4RE, says that ID number shouldn’t be so easily accessible. “You shouldn’t necessarily think of it as low-risk just because it’s a number,” he says. “Your social security number is just a number. Your credit card number is just a number. It’s the meaning that’s attached to those numbers that makes it risky—and in this instance, it’s an identifier for a person, so any time you see that identifier, you can be certain that you’re seeing that same person.”

One possible solution, Paget says, would be to add an on/off switch to the passport card, as has been suggested by Dr. Ann Cavoukian,Information and Privacy Commissioner for the Canadian province of Ontario. Paget says it’s simply a matter of adding “a button on the card that you have to physically squeeze to turn the tag on, at which point it can be read—so it completely negates the need for shielding…because the tag is off until you actually want it to be turned on.”

The larger point, Paget says, is that RFID needs to be approached with the same caution as the Internet—both, essentially, are simply untrusted networks that move bits of data from point a to point b. “There’s no reason why RFID cannot have equivalent security to something like SSH or SSL that we use on the Internet all the time…I’m certainly not against RFID as a technology: I think it’s got great potential, but there needs to be a lot more security involved in the design of the systems,” he says.