A copule of years ago, governments around the world began deploying RFID enabled identity documents, including passports and drivers licenses. Knowing this was coming, I renewed my passport before RFID was included. I’m a paranoid geek, but then I’m an IT security guy, so paranoia is part of the job description.
Last week, Geeks are Sexy reported that a fellow in California decided to prove the point.
By hooking a $250 Motorola RFID reader and an antenna to his laptop, Chris Paget was able to easily harvest and clone multiple RFID identity documents while driving through San Francisco.
It’s certainly convenient for travelers and for governments to be able to read passports and other identity documents without us having to present them, but this sort of thing violates one of the basics of information security, namely confidentiality. If the information in question is out there in the open, without any sort of controls on who can read it, should we really be surprised when someone decides to read it? Geeks being who we are, we’ll do this sort of thing, or bluetooth sniping, or some other unintended but obvious use of the information that’s floating around.
I’d like to think that governments would have a stake in making sure that our identity information is secure, but most of my arguments seem pretty hollow in my ears. Does it cost them money in lost tax revenue? How about investigative costs? Aren’t they supposed to uphold law and order? My fear is that all of these pale in comparison to the ability to monitor people without their being bothered. My more paranoid self says that RFID enabled passports, drivers licenses, and cell phones could be turned into an awesome tool of a police state. Your location would be known at every moment. Heck, every month I print out my iPass tollway traffic so I can expense it for the business. Who else has access to this information?
Advocates of government surveillance frequently ask us “what do you have to be concerned about if you’re not breaking the law?” They say “We’ll only use our powers for good.” My latest response has been to point them to the reports last year regarding NSA eavesdropping on American soldiers calling home and having steamy conversations with their significant others. In fact, here’s a good case in point. We have a policy of “Don’t ask, don’t tell” in the armed forces. Homosexuality is not technically illegal, but if it comes to light, a soldier can be discharged. What would happen if the NSA eavesdropped on a call between a male American soldier and his boyfriend back home? I’m sure it would be great consolation to him that the government only eavesdrops on us for our own good.
Perhaps I’m just getting to be an old timer. When I started managing computer systems for the telephone company in the late 1980s, the game was to break into systems primarily to learn something. Occasionally there were malicious attempts to access information, such as the phreak’s setting themselves up with free phone service, but for the most part, the damage to society at large was fairly limited.
Late in January, we learned about a security breach at Heartland Payment Systems. According to coverage at Computerworld, it seems the attackers placed some sort of malware into the Heartland network, and were able to capture an undisclosed number of credit card transactions, primarily from smaller businesses such as gas stations and convenience stores. Heartland isn’t saying how many accounts were compromised, but they process about 100,000,000 transactions per month, and they were apparently notified by the card companies of a possible problem last October, and well you do the math.
People breaking into computer systems these days aren’t doing it for fun, or to learn how things work, or at least they’re not the only ones breaking in. The naive period of hacking adolescence has passed. We’re not looking around in empty houses under construction, we’re breaking into occupied houses and robbing them while the owners are there.
Computer security is serious business, and business has given it very little attention. To make matters worse, the public really doesn’t seem to care either. TJX has a massive security breach: what happens to the stock? It goes up.
Until consumers start caring about how much money lax security is costing them, there will be no change. Since consumers aren’t showing any inclinations to care, the only hope for us is making a criminal negligence complaint against businesses that take absolutely no care of our identities.
One of the most distressing things about being a security professional in today’s IT environment is what seems like a lax attitude towards securing customer information. All that could change if a ruling by the FTC against ValueClick, a spammer, stands up in court. In addition to settling with ValueClick regarding violations of the CAN-SPAM act, the FTC claims that ValueClick is also liable for not following their own advertised security policies.
“In the past, companies that failed to protect customer data have argued that they are immune from prosecution unless consumers can directly prove that they suffered harm from the breach of their personal information,” Kamber explains. “Given that hackers are generally pretty good at covering their tracks, this argument — if accepted — would mean that few companies would have to account for their negligence.”
quotes an article at Dark Reading. Kamber is Scott Kamber, a partner at Kamber Edelson LLC, a legal firm that specializes in cyber security law.
This would be a novel first, and a good one as well. To date, companies and other organizations that disclose their customers confidential information have been in for not much more than credit counseling and fraud monitoring on these customers behalf. This, frankly, is a slap on the wrist. Until organizations are held liable, in a significant way, for disclosing sensitive information, they will see little incentive for taking preventative measures.
For some context, in the last few years, hundreds of millions of people have had their confidential information disclosed to unauthorized parties. While it might prove burdensome for businesses to have to pay any sort of real damages when they fail to take adequate measures to protect confidential information, I believe that’s the only way to see that the necessary measures are actually taken, since it’s clear that the market can’t police itself.
The expanding use of RFID chips, and their ever-decreasing size, has led to what sounds like science fiction to me. A company called Nox Defense has created RFID tags so small that they are calling it “RFID dust”, and saying these tags can be scattered on the ground and then, per the original article on HelpNet:
People pick up the ID-Dust on their shoes, which covert RFID readers track, triggering video surveillance and alerting security personnel on hand-held devices. The Nox software creates a complete history of exactly where the person travels and when, and combines a facility map with real-time video surveillance.
It’s pretty incredible to me that we can now make these chips so small that they are 1) unnoticable and 2) small enough to stick to your shoes yet still have the ability to transmit radio signals any significant distance. Add to that doing so with any sort of encryption, which they also claim. I’d say it sounds like witchcraft, but the world moves on, and perhaps it’s true.
Years ago, Xerox developed active badges that would track your presence in the PARC as you moved around. Doors would unlock for you as you approached if you had access. The phones were also hooked into the system: if the phone rang, it was for someone in the room at the time.
So what’s the point of that story? The employees at Xerox were aware that they were being tracked, and being the type of people who worked at PARC, they had in some sense signed up for that sort of treatment. But even Xerox didn’t track you in the bathroom.
The creation of RFID tags that are now embedded in passports, computer equipment, and now even small enough to be scattered on the ground is enabling a culture of surveillance that’s deeply troubling to me. I don’t have enough faith left to believe that people won’t abuse that power, and the continuing abuse of National Surveillance Letters doesn’t do much to convince me that I’m being overly suspicious.
I don’t dispute that employers should be able to protect their equipment, that they should put up with employees stealing from them. This leaves me conflicted: I don’t support theft, I don’t support a culture of surveillance either. There has to be a way to balance these things out, but it’s gonna take someone smarter than me.
Caveat: I’m not a big user of social networking sites. I’ve always thought of myself as a bit more private than that. Perhaps this amplifies my concern over this story in the New York Times (found via Slashdot, where there’s more commentary) about Facebook subscribers inability to remove their information from the service when they decide to “deactivate” their accounts. Per the NYT story:
While the Web site offers users the option to deactivate their accounts, Facebook servers keep copies of the information in those accounts indefinitely. Indeed, many users who have contacted Facebook to request that their accounts be deleted have not succeeded in erasing their records from the network.
This is very troubling in the age where companies are compromised every day, and personal information routinely and illegally disclosed. Many enterprises are adopting the position that if they don’t need information about you, they’re simply not going to store it. In the event of a compromise, the less information a company has about you, the less it can lose.
Against this tide goes Facebook. Their privacy policies state that they may maintain backup information for “a reasonable period of time” but are not very forthcoming about exactly what’s going on. If you contact customer service, it apparently becomes somewhat clearer what you have to do:
Only people who contact Facebook’s customer service department are informed that they must painstakingly delete, line by line, all of the profile information, “wall” messages and group memberships they may have created within Facebook.
“Users can also have their account completely removed by deleting all of the data associated with their account and then deactivating it,” Ms. Sezak said in her message. “Users can then write to Facebook to request their account be deleted and their e-mail will be completely erased from the database.”
The arguments are that you may want to return in the future, but these seem like hollow reasons to me.
“Deactivated accounts mean that a user can reactivate at any time and their information will be available again just as they left it.”
Much more compelling is the argument that they want to continue to sell your information to their ad partners.
The network is still trying to find a way to monetize its popularity, mostly by allowing marketers access to its wealth of demographic and behavioral information. The retention of old accounts on Facebook’s servers seems like another effort to hold onto — and provide its ad partners with — as much demographic information as possible.
Perhaps I’m just too used to the fact that I have a personal side, and business/public side, and that the two shouldn’t mix. It would scare the willies out of me if I discovered I could not change my mind, and easily leave a site like Facebook if I wanted to.
Update: Apparently Facebook has added instructions on deleting your profile to their help page, in the face of public pressure. From the sounds of it, it’s still not entirely satisfactory.
Last week, I wrote about the possibility of having your smartphone searched when you’re pulled over for a traffic violation. This is even more concerning, the Washington Post has this article up about searches of laptop and other electronic devices by federal agents in airports.
The lawsuit was inspired by two dozen cases, 15 of which involved searches of cellphones, laptops, MP3 players and other electronics.
The article cites examples where travelers were asked to surrender their login and password, to access their email, and divulge other potentially sensitive information. One woman had her laptop taken, after she surrendered the login and password, and it’s never been returned:
“I was assured that my laptop would be given back to me in 10 or 15 days,” said Udy, who continues to fly into and out of the United States. She said the federal agent copied her log-on and password, and asked her to show him a recent document and how she gains access to Microsoft Word. She was asked to pull up her e-mail but could not because of lack of Internet access. With ACTE’s help, she pressed for relief. More than a year later, Udy has received neither her laptop nor an explanation.
All this, without a warrant. If this doesn’t qualify as unreasonable search and seizure, I’m really at a loss as to what does.
As a result of these actions, some corporations have issued instructions that employees clear their hard drives of sensitive information before traveling overseas. You may wish to no longer travel with that laptop or smartphone.
Update: Computerworld has a follow-up on “5 Things You Need to Know About Laptop Searches at U.S. Borders“
Found over on CNN, an alarming article on the latest plans the FBI has to catalog everything about you, more or less.
The FBI is gearing up to create a massive computer database of people’s physical characteristics, all part of an effort the bureau says to better identify criminals and terrorists.
It’s really there to track criminals and terrorists, the usual boogeymen. But wait, then we read later in the article:
You don’t have to be a criminal or a terrorist to be checked against the database. More than 55 percent of the checks the FBI runs involve criminal background checks for people applying for sensitive jobs in government or jobs working with vulnerable people such as children and the elderly, according to the FBI.
The FBI says it hasn’t been saving the fingerprints for those checks, but that may change.[...]
This sort of thing makes me really uncomfortable, and that’s coming from someone who’s fingerprints are already on file. Maybe I better explain that, I used to work for a defense contractor, so my fingerprints are on file for the background check. And I’m sure that rants like this won’t help.
I’m not 100% clear on exactly how this helps with terrorists. I mean, weren’t the 9/11 hijackers here legally? Didn’t they do everything possible to stay under the radar (except asking to learn how to land, I suppose)?
Do we then want to start compiling large files on people’s points of view, monitoring their conversations, reading their email, and associating it with their biometric information, such as iris scans and palm prints, even when they haven’t done anything illegal? I’m probably just being paranoid.  It’s not like we would maintain information on people even if they’re innocent. Unless they’re applying for sensitive jobs. Or just because we say so.
Somebody hand my my tinfoil hat.
I wrote earlier in the week about the possible use of something like CAPTCHA to combat Cross-site Request Forgery attacks, and as if by magic, we see the news breaking that CAPTCHA has apparently been cracked by a team of Russian hackers. For a quick recap, CAPTCHA generates images consisting of letters and numbers, then asks the (presumably human) user of a site to enter them in order to verify that it’s a human using the service, rather than a machine.
The wily Russian(s) in question claim the ability to decode CAPTCHA about 35% of the time, which is probably plenty for most sites. This would probably severely hamper, if not eliminate the usefulness of CAPTCHA as part of the CSRF solution.
Back to the drawing board…
There’s an interesting article over at the Washington Post, found via Slashdot, in which we find that the EU is proposing that IP addresses be treated as personal data.
Scharr [Germany's data protection commissioner] told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address, “then it has to be regarded as personal data.”
I’ve long been a fan of the way the Europe treats personal information. Here in the US, it seems that any information a business collects about me is the property of the business. This includes things like my address, my birthday, my phone numbers, etc.
In Europe, personal information is treated as the property of the person, rather than the business, and the restrictions on what can be done with the information, and how it must be protected are rather more stringent.
It’s going to be a real challenge to treat IP addresses in this category. For one thing, as the article points out, these addresses can (and do) change when addresses are dynamically assigned via DHCP, rather than statically bound to a person.
It’s also going to be a real change of business practices for anyone using IP addresses to track purchases, or otherwise snoop on an internet user. What, for instance, will this mean for your average web site, who’s web server logs are full of these IP addresses, recording where requests came from and what was requested? How will we balance the right of the individual or business providing a web site to manage their services, with the rights of the EU individual to have their IP address secured as personal information?
It’s too soon to see what this means yet, but on the face of it, it looks like the stated goal of the EU is going to be technologically very difficult to achieve.
Over at Gizmodo, there’s this article on searching people who are pulled over for traffic violations:
In a recent academic paper, South Texas Assistant Professor Adam Gershowitz explains that because many traffic violations are arrestable offenses, just as a cop could search your pockets for drugs, said cop can also search your pockets for a smartphone and go through all its contents.
And so, privacy takes another step backwards in the face of technology.
The founding fathers never created a right to privacy. There’s the whole “life, liberty and pursuit of happiness” bit, but to our everlasting chagrin, there is no guarantee of privacy in the Constitution or the Bill of Rights.
It’s not fair to beat the founding fathers up too badly about this, I suppose. They lived in a world where the technological ability to do the things we can do today were never imagined. Why, even a few years ago, the very idea that the security organs of governments could monitor every email, every packet of information on the Internet, and every phone call were far-fetched. But this is the world we live in today.
And a depressing thought is that the people in the United States seem increasingly to be content to sacrifice their rights for an incremental increase in security. Even the ones that are in the Bill of Rights. Where’s the outcry when we use National Security Letters to secure information without a search warrant, and without judicial review?
Security, however, is an illusion: all you’ve done is to give up your rights without a fight. Benjamin Franklin is credited with the quote “Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety”, and although while I agree with the sentiment (although to be fair, there is some controversy surrounding the matter), we can’t just go quietly along with every incursion into the should-be right of privacy, or soon there will be none left.
So make sure to lock your cell phone. Because your glovebox can’t be searched if it’s locked, then your phone can’t be searched if it’s locked, right? And while our rights trickle away, taken by those who were sworn to protect them, I’ll go back to ranting in the void.
- Ars Technica
- Dark Reading - IT Security
- Help Net Security
- SANS Internet Storm Center
- Schneier on Security - Dr. Bruce Schieier’s blog
- Security Info Watch
- What to Fix - Daniel Markham, fellow consultant
- Wired Gadget Lab
- Wordpress Documentation
- WordPress Planet
- Wordpress Support Forum