Archive for the ‘hacking’ Category

“How quickly will this database go from being strictly to prove employment eligibility to being used by police departments to gather fingerprints while circumventing the warrant process and Fourth Amendment rights of search and seizure?” – Michelle Ngo, EPIC

BTC – The AV quality on this video is semi-intelligible and uber techy. However, it does exhaustively convey how biometric breaches happen if and when they happen.

The policy on the prolific use of biometrics for worker identity is further covered by expert Michelle Ngo for Privacy Lives!

Where to begin? First, the senators say, “Each card’s unique biometric identifier would be stored only on the card; no government database would house everyone’s information.” But that seems unlikely. What if someone hacked a real card and added their biometric data (fingerprints, eye scans, whatever is chosen by the government) to the card? Their fingerprints would match the fingerprints on the card, so they would be “identified” as the name on the card. There would likely need to be a database to check for accurate credentials.

Altering a biometric digitally by breaking into the system is just one security problem with biometric identification. Individuals could use false identification at enrollment or a biometric could be altered physically.

The senators state that they need “a tamper-proof ID system” to fix the immigration problem. But there is no tamper-proof ID system. You can strengthen ID systems, but they’ll still be forged by people with means and motive. Former Homeland Security Secretary Michael Chertoff said that the fact that REAL ID and other strengthened identification cards can be forged is a security problem:

I certainly have seen intelligence that tells me that sophisticated criminals and sophisticated terrorists spend a great deal of time learning to fabricate and forge even these improved cards. The net effect of this may be that it’s going to be harder for people on campus here to get a drink when they’re under 21, but unfortunately it’s not going to be that much harder for the most sophisticated dangerous people to counterfeit an identity card.

What the senators would be creating is a trusted card that could and would be forged by sophisticated criminals. Even if you allow the senators’ contentions: the tamper-proof card would have the biometric credential only on the card so there would be no national database, we must then look at the cost of this system. There would need to be computer systems set up for the new high-tech cards, strong encryption, special paper, special readers to 7.4 million employers in the United States, training for employers and employees, and other costs, as well. This would cost billions, perhaps trillions.

And how quickly would this employment verification card be expanded to many more uses beyond employment verification? It is to be “a high-tech, fraud-proof Social Security card,” and Social Security data is used for numerous uses today. Your Social Security number is used to open a bank account, credit account or even cellphone account. How soon before these entities say, “I need you to prove your identity by scanning your high-tech biometric Social Security card”?

How quickly will this database go from being strictly to prove employment eligibility to being used by police departments to gather fingerprints while circumventing the warrant process and Fourth Amendment rights of search and seizure? Who else could have access to your fingerprint and iris scans? The United States already has discussed sharing fingerprint and other biometric data of suspects with European countries. It’s a small step to opening up a national employee biometrics database to other countries.

Besides the security problem, there is also a substantial problem for U.S. citizens and others who may legally work in the United States. During the REAL ID national identification card debate, critics of the REAL ID program noted there is the false positive problem. U.S. workers were having problems with an employment eligibility verification system using Social Security and Homeland Security error-filled databases.Several federal (pdf) government evaluations (pdf) noted problems with database checks that lead to initial rejections for individuals who are legally eligible to work in the US, causing significant problems for eligible workers and their employers, who have done nothing wrong.

I must reiterate: This biometric identification system, where you must prove to the government that you are eligible to work, is proposed for all U.S. employees, not just immigrants. It is a terrible proposal that will not solve the immigration problem, but instead create substantial employment problems for U.S. citizens at a time when many need help to find employment, not more barriers against it.

TELL CONGRESS WHAT YOU THINK

http://www.opednews.com/articles/Can-you-prove-you-re-not-a-by-Jim-Babka-100315-218.html

Advertisements

Contrary to public statements made by the Transportation Security Administration, full-body airport scanners do have the ability to store and transmit images, according to documents obtained by the Electronic Privacy Information Center.

The documents, which include technical specifications and vendor contracts, indicate that the TSA requires vendors to provide equipment that can store and send images of screened passengers when in testing mode, according to CNN.

The TSA has stated publicly on its website, in videos and in statements to the press that images cannot be stored on the machines and that images are deleted from the scanners once an airport operator has examined them. The administration has also insisted that the machines are incapable of sending images.

But a TSA official acknowledged to CNN that the machines do have these capabilities when set to “test mode.”

The official said these functions are disabled before the machines are delivered to airports and that there is no way for screeners in airports to put the machines into test mode to enable the functions. The official, however, would not elaborate on what specific protections, if any, are in place to prevent airport personnel from putting the machines in test mode.

The TSA also asserts that the machines are not networked, so they cannot be accessed by hackers.

ScienceDaily (Dec. 15, 2009) — Although physicians support the use of electronic health records, concerns about potential privacy breaches remain an issue, according to two research articles published in the January 2010 issue of the Journal of the American Informatics Association (JAMIA), in its premiere issue as one of 30 specialty titles published by the BMJ (British Medical Journal) Group, UK.

One published study is based on views of more than 1,000 family practice and specialist physicians in Massachusetts who were asked whether they thought electronic health information exchange (HIE) would drive down costs, improve patient care, free up their time and preserve patient confidentiality. They were also asked whether they would be willing to pay a monthly fee to use the system.

The electronic exchange of health information (HIE) among different long- distance providers has become the focus of intense national interest, following recent legislation and moves to offer cash incentives for those who switch to the system.
The responses showed widespread support for the use of HIE, even though only just over half were actually using electronic health records.

Most (86%) said that HIE would improve the quality of care and seven out of 10 thought it would cut costs. Three out of four (76%) felt that it also would save time.

But 16% said they were “very concerned” about potential breaches of privacy, while a further 55% were “somewhat concerned.”
The authors note that the responses indicate a lower level of concern than expressed by physicians in the UK, but suggest that this might change if breaches occur to a greater extent than currently recognized.

Despite their overall enthusiasm, physicians were not willing to support the suggested $150 monthly fee, and nearly half were unwilling to pay anything at all.

A second study reported in JAMIA, suggests that mental health professionals have significant concerns about the privacy and security of data on electronic health records.

Of 56 responding psychiatrists, psychologists, nurses, and therapists — out of 120 who were sent the survey–based at one academic medical center, most (81%) felt that the system permitted the preservation of “open therapeutic communications.” Most also felt that electronic records were clearer and more complete than paper versions, although not necessarily more factual.

When it came to privacy, almost two-thirds (63%) were less willing to record highly confidential information to an electronic record than they would to a paper record.

More than eight out of 10 (83%) said they if they were to become a patient, they would not want to include their own mental health records to be routinely accessed by other providers.

The authors point out that previously published surveys of patients/consumers have reflected a lack of confidence in tight security, and that people with mental health issues already face stigmatization.

While the narrative data of patients’ life histories and experiences inform clinical decision-making in psychiatric care, the threat of security breaches makes them vulnerable to potential misuse or misinterpretation, the authors say.
Adoption of electronic health records has been slower than anticipated, the authors add. And they conclude: “Designers of future systems will need to enhance electronic file security and simultaneously maintain legitimate accessibility in order to preserve confidence in psychiatric and other [electronic health record] systems.”

“The ramifications of data security cover more than the psychiatric domain, implying a need for considerable reflection,” they say.


Ultimately, Michael Holly, chief of consular affairs/international affairs at the U.S. Department of State, says Chris Paget’s interception of the passport card’s data is no reason for concern.

“Mr. Paget actually was doing nothing more than what we intended to have happen…the card, if powered by a reader, will give off the ID number, which is simply a pointer to the data that we share with the Department of Homeland Security,” he says.


[BTC Comment – Is the State Department’s job to make egregious hacks look like it was all their idea and that they have everything under control?

I guess the more important question to ask is: are you in control of your identity and where your private information lands due to RFID deployment?

If you are confident RFID is insecure you reserve the right to demand more privacy provisions, especially if it’s a legal mandate and you are required to pay for it.]

RFID Passport Tags Save Time, Risk Privacy
By Jeff Goldman

c/o WiFi Planet

The presence of an RFID tag in U.S. passport cards has raised privacy concerns, but government officials insist the technology is safe–and that the efficiency it adds at land borders is worth the risk.

By the time WHTI went into effect on June 1st of this year, requiring Americans to present passport books, passport cards, or EDLs when crossing land borders into the United States, over a million RFID-enhanced passport cards had already been issued. While WHTI itself isn’t new, its implementation for land borders was delayed two years ago in order to allow for further testing of passport card technology.

It’s important to note that there’s a key difference between e-passports(passport books) and passport cards. While passport cards use vicinity RFID (EPC Gen 2) technology, which can be read at distances of up to 30 feet, e-passports use ISO 14443 contactless smart card tech with a read range of a few inches. To compensate for their readibility (and therefore hackability) at a distance, passport cards only transmit an ID number that relates back to information stored in a secure central database, while e-passports store and transmit much more detailed information about the passport holder.

According to Randy Vanderhoof, executive director of the Smart Card Alliance, that difference was key to the selection of the two technologies. “The electronic passport was built knowing that it was going to store secure information like a person’s name, city of issuance, passport number, image of the person… and therefore they chose a more secure chip technology to protect that information—whereas the passport card was designed to be a static identifier to a central database, with no personal information stored in the chip itself,” he says.

Vanderhoof contends that the government’s decision to use the longer-range EPC Gen 2 technology in passport cards was a mistake. “The decision to trade speed over security and privacy, I think, was a poor decision on the part of the program managers under WHTI—but they repeatedly defended the decision because of the traffic flows through the land borders and the fact that they needed something that could be read from great distances,” he says.

Still, Paul Hunter, technical lead for the Western Hemisphere Travel Initiative at U.S. Customs and Border Protection, insists that the time savings provided by the passport cards are considerable. “We can actually read the documents as they’re approaching the booth…which means, instead of handing a document to an officer and him swiping it or manually typing in data, the data’s already there, and now he can focus on the person, and he can focus on the conveyance…it saves six to eight seconds per person,” he says.

And at a land border, Hunter says, time is of the essence. “We’re talking over 100 million crossings a year,” he says. “Those six to eight seconds actually are very significant. We’ve done time and motion studies where we’ve actually measured the time it takes to take the document, to bring it into the booth, to either manually type or swipe and then wait for the results—and if you eliminate all that, you are actually on average saving between six to eight seconds.”

What’s more, Hunter says, the same technology has already been in use for over ten years in the government’s SENTRI and NEXUStrusted traveler programs. “And we have not had one reported incident of somebody skimming that data and using it for nefarious purposes…the reality is, it’s just a number,” he says. “And we further mitigate that by making sure the data that’s associated with that is in a secure back-end database.”

Ultimately, Michael Holly, chief of consular affairs/international affairs at the U.S. Department of State, says Chris Paget’s interception of the passport card’s data is no reason for concern. “Mr. Paget actually was doing nothing more than what we intended to have happen…the card, if powered by a reader, will give off the ID number, which is simply a pointer to the data that we share with theDepartment of Homeland Security,” he says.

But Paget himself, now president and CTO of the security research firm H4RDW4RE, says that ID number shouldn’t be so easily accessible. “You shouldn’t necessarily think of it as low-risk just because it’s a number,” he says. “Your social security number is just a number. Your credit card number is just a number. It’s the meaning that’s attached to those numbers that makes it risky—and in this instance, it’s an identifier for a person, so any time you see that identifier, you can be certain that you’re seeing that same person.”

One possible solution, Paget says, would be to add an on/off switch to the passport card, as has been suggested by Dr. Ann Cavoukian,Information and Privacy Commissioner for the Canadian province of Ontario. Paget says it’s simply a matter of adding “a button on the card that you have to physically squeeze to turn the tag on, at which point it can be read—so it completely negates the need for shielding…because the tag is off until you actually want it to be turned on.”

The larger point, Paget says, is that RFID needs to be approached with the same caution as the Internet—both, essentially, are simply untrusted networks that move bits of data from point a to point b. “There’s no reason why RFID cannot have equivalent security to something like SSH or SSL that we use on the Internet all the time…I’m certainly not against RFID as a technology: I think it’s got great potential, but there needs to be a lot more security involved in the design of the systems,” he says.

NEW YORK (Reuters) – U.S. authorities announced what they believed to be the largest hacking and identity theft case ever prosecuted on Monday in a scheme in which more than 130 million credit and debit card numbers were stolen.

Three men were indicted on charges of being responsible for five corporate data breaches in a scheme in which the card numbers were stolen from Heartland Payment Systems, 7-Eleven Inc and Hannaford Brothers Co, federal prosecutors said in a statement.

The suspects also hacked two unidentified corporate victims, the U.S. attorney’s office in New Jersey said in the statement. :::MORE HERE:::

These updates in from Slashdot.org


Death Metal writes with this excerpt from Computer Weekly, which casts some doubt on the security of the UK’s proposed personal identification credential:“The prospective national ID card was broken and cloned in 12 minutes, the Daily Mail revealed this morning. The newspaper hired computer expert Adam Laurie to test the security that protects the information embedded in the chip on the card. Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes.”
FourthAge writes“Federal agents at the Defcon 17 conference were shocked to discover that they had been caught in the sights of an RFID reader connected to a web camera. The reader sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks. The ‘security enhancing’ RFID chips are now found in passports, official documents and ID cards. ‘For $30 to $50, the common, average person can put [a portable RFID-reading kit] together,’ said security expert Brian Marcus, one of the people behind the RFID webcam project. ‘This is why we’re so adamant about making people aware this is very dangerous.'”

Wired Magazine, Kim Zetter 

LAS VEGAS — It’s one of the most hostile hacker environments in the country –- the DefCon hacker conference held every summer in Las Vegas.

But despite the fact that attendees know they should take precautions to protect their data, federal agents at the conference got a scare on Friday when they were told they might have been caught in the sights of an RFID reader.

The reader, connected to a web camera, sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks as they passed a table where the equipment was stationed in full view.

It was part of a security-awareness project set up by a group of security researchers and consultants to highlight privacy issues around RFID. When the reader caught an RFID chip in its sights — embedded in a company or government agency access card, for example — it grabbed data from the card, and the camera snapped the card holder’s picture.

But the device, which had a read range of 2 to 3 feet, caught only five people carrying RFID cards before Feds attending the conference got wind of the project and were concerned they might have been scanned.::MORE HERE:::