Weblog - Security weblog

British 'unbreakable' ID card hacked in 12 minutes

Thu, 06 Aug 2009 22:09:08 +0000

[quote]New ID cards are supposed to be 'unforgeable' - but it took our expert 12 minutes to clone one, and programme it with false data.[/quote]

Although this sounds pretty serious to you and me, the English government is doing nothing about it.

Dutch man in Belgium prison after identity theft

Wed, 29 Jul 2009 20:10:43 +0000

An innocent Dutch man has been locked up for two weeks (english) in a Belgium prison. Earlier, his identity documents had been stolen in Rotterdam. The thief used those documents to commit all sorts of cirmes in Belgium.

Governments are attaching more value to identity documents these days. But they have no idea how to handle a situation of stolen identity documents and identity theft. I know the Dutch government obliges every Dutch citizen to always carry an ID, but it's far more safer to leave it at home when you don't need it to have it with you.

US has access to bank information of every EU citizen

Tue, 28 Jul 2009 19:52:46 +0000

The U.S. goverment is probably getting access to bank account information (english) of every EU citizen. And of course all in order to 'fight terrorism'. Of course, this is pretty scary. But even more scary is the fact that there is no end to this. We still have a little privacy left... to lose...

Navigation-Cooperative Intelligent Pedal

Mon, 27 Jul 2009 21:40:46 +0000

Nissan created a system to assist the driver based on GPS and map information.

I hope Nissan realizes that map information in GPS systems isn't always up to date. You might wonder whether the chance of incorrect road information is higher than a person overspeeding when approaching a curve in the road.

Restart

Fri, 10 Jul 2009 07:15:17 +0000

I've decided to restart my security weblog. I know not many people read my weblog. After all, the world is filled with weblogs. But I'm doing it more for myself. Having this weblog forces me to think about all the security news items. I wanna stay focussed on what's going on with security, specially in the Netherlands.

DNA of young children in database

Fri, 21 Mar 2008 00:00:00 +0000

The police of England wants to take the DNA of young children if they exhibit behaviour indicating they may become criminals in later life. And if they had the time and money, they would like to put the DNA of everyone in the UK in that database.

Children who exhibit bad behaviour are better of with some proper upbringing and education instead of being marked as 'potential criminal' in some DNA database. Its very dangerous to accuse them of things they have not done yet. Things which also can be done by 'good' people.

The English government is doing some scary things lately. They are looking at the English citizens through their databases, instead of looking at the actual people. They want to control the English people, instead of organizing the country for them. England is very close to becoming a police state.

Blu-ray copy protection hacked

Wed, 19 Mar 2008 00:00:00 +0000

SlySoft, the makers of AnyDVD HD, have released an updated version of the copy-protection removal tool which allows Blu-ray owners to copy Blu-ray discs.

It amazes me companies still use copy protection on their CDs, DVDs, MP3s, etc. There is a simple rule: what can be read, can be copied. For every new copy protection method, the question is not: "will this one work?", but "how long before it gets hacked?".

MI5 wants access to travel records

Mon, 17 Mar 2008 00:00:00 +0000

The secret service of England, MI5, wants to have fully access to travel records of the seventeen million people traveling by underground, bus and train. With that, MI5 can see the comings and goings of all those people. And of course, the 'fight against terrorism' is again used as an excuse.

An important question for the English people is how this is going to make their lifes safer. They still have the chance of being killed during a car accident, getting shot during a shop or bank robbery or die from a heart attack because of eating to much unhealthy food. How do those dangers compare to the change of being wounded or killed during a terrorist attack? How really big is that chance?

MI5 says they need the travel records in their fight against terrorism. But they didn't say why. How is travel information going to be helpful? How can it say anything about whether someone is a potential terrorist or not?

Germany and USA sharing biometric information

Wed, 12 Mar 2008 00:00:00 +0000

Germany and the USA have agreed to share biometric information about their citizens. The excuse for this is the well known 'fight against terrorism'.

For citizens, there are several dangers about the data mining done by governments: you have no right to see what information is being kept about you and you certainly have to right to correct any mistakes. This danger will become even bigger when more types of information are being gathered and combined and countries start sharing this information. The greatest danger is when in the near future you will no longer be who you really are, but you become only what the government knows about you. Whether this is correct or not.

Pacemaker hacking

Wed, 12 Mar 2008 00:00:00 +0000

Researchers have discovered it's quite easy to hack pacemakers. Modern pacemakers are able to communicate wirelessly. There is no form of encryption used for the communication. This gives hackers the ability to steal private information stored in the pacemaker or, even worse, shutdown the pacemaker or reprogram it to make it give a deadly electric shock to its wearer.

It's often said: security is a state of mind. Computers and electronics are more and more used to make life easier, but it's often forgotten to prevent bad people from abusing these computers and electronics. I'm sure many people will ask "who would have expected that hackers want to hack a pacemaker?". The answer is probably: "no one". And that's exactly why hackers will do it.

Captcha hacking

Wed, 27 Feb 2008 00:00:00 +0000

To protect a website against automated actions, a captcha is often used. Hackers and spammers have been trying to beat the captcha, but also the chaptchas are being improved. This is an 'ongoing battle', but according to an article on Frequency X Blog, it's time to abandon the captcha and find a new technique to find out which web request was made by a human being and which one was made by a hack or spam script.

Freezing encryption keys

Fri, 22 Feb 2008 00:00:00 +0000

[quote]A group led by a Princeton University computer security researcher has developed a simple method to steal encrypted information stored on computer hard disks.

In a technical paper that was published Thursday on the Web site of Princeton's Center for Information Technology Policy, the group demonstrated that standard memory chips actually retain their data for seconds or even minutes after power is cut off.

When the chips were chilled using an inexpensive can of air, the data was frozen in place, permitting the researchers to easily read the keys long strings of ones and zeros out of the chip's memory.[/quote]

This is very impressive, although it's not easy to exploit because you have to have physical access to the victim's computer. Nevertheless, this shows that using cryptography does not guaranty the safety of your information. You need other security measures to make the use of cryptography working: a policy for physical access to your computers in this case.

Security is like a chain: it's as strong as the weakest link. When it breaks, the rest of the security measures are worthless.

Fingerprint databases

Sat, 16 Feb 2008 00:00:00 +0000

State secretary Ank Bijleveld of The ministry of the Interior and Kingdom Relations wants fingerprints of every Dutchman in a national database (english) and make it available to the police and the justice department.

It's not this specific fingerprint database that scares me. What really scares me is: where will this end? In the first place, the fingerprints taken during passport application were supposed be used only to prevent fraud with identity documents. Now, they want them make it available to the police and the justice department. The government has been busy with a public transport chipcard and a GPS system for vehicles for tax purposes. With those systems, the government can track the movement of every person. An interesting question is when they will.

We more and more are living in a digital world. Things that not already have been digitialized, will probably be in the future. It's likely that biometrics will be replacing passwords and electronic keycards. The difference between biometrics, a fingerprint for example, and a password is, that a password can be changed once it has been compromised and a fingerprint cannot. Therefor, it's very important you are very carefull to whom you give away your biometric information.

The use of the fingerprints to fight crime is a false one. What the government probably doesn't realize is that once a person has given his/her fingerprint to the government, he/she will be extra carefull not to leave behind fingerprints while committing a crime. In other words, as soon as you start building a fingerprint database, it will become useless.

During World War II, the Dutch government had a database which contained information about every Jew in the Netherlands. They had no bad intention with it, but the Nazis gratefully used it for their own purpose. So, the question is not what the government will do with it, but what will other people, like criminals, do with it once they obtain it. And since the government is really good at losing laptops, USB sticks and CD-roms, that's probably only a matter of time.

It's not only the Dutch government who has begun the hunt for fingerprints. The European Commission wants fingerprints of every person visiting the European Union (english).

A national fingerprint database is stupid, dangerous and will NOT improve our safety and security. It will not make us safer, for the simple reason that you can't read someone's intention in that person's fingerprint. And when you do have the fingerprint of a criminal, you still have to catch him.

It's often said you don't have to be afraid when you have nothing to hide. And that's exactly where the problem is. Everone has something to hide, namely a private life. When I go to the bathroom, have sex, discuss private things with friends or family, plan my life, it's of no one's business but my own. It's exactly those things I want to hide from the rest of the world. Privacy makes me able to be who I am: myself. It's a basic human need.

Bruce Schneier has written a nice article about privacy.

Surveillance cameras

Thu, 14 Feb 2008 00:00:00 +0000

An interesting website about surveillance cameras in the street: www.cameratoezicht.nu (dutch website).

Schiphol security

Wed, 06 Feb 2008 00:00:00 +0000

A reporter has demonstrated it's very easy to bring drugs and explosives aboard an airplane (english). Disguised as a platform employee he managed to easily get round customs and security.

That airport security isn't really good is nothing new. It's a common fact that about 80% of all security incidents are caused by own employees. So, Schiphol should have known better.

Jan de Wit of the Dutch House of Representatives stated that the security risks at Schiphol are of course huge (english). If the risks are really huge, why haven't we seen any terrorist attack? Or at least an attempt? Could it be because in fact there isn't any terrorist threat?

Security versus Privacy

Tue, 29 Jan 2008 00:00:00 +0000

A funny comic that illustrates "security versus privacy" very well.

picture from The Christian Science Monitor

Dutch electricity network hack proof

Mon, 21 Jan 2008 00:00:00 +0000

Administrators of the Dutch electricity network claimed their network is hack proof (english), because it's not connected to the internet.

An attack to your network via the internet is not the only threat. And even when you have applied all the appropriate security measures, it's still dangerous to think you are therefor safe. People make mistakes sometimes, so things still can go wrong. And another thing to be alert for is social engineering, a dangerous form of attack for which there is no technological solution. Therefor, their claim is very likely not true.

Unstealable police car stolen

Mon, 21 Jan 2008 00:00:00 +0000

A police car of the German police, which was supposed to be unstealable, has been stolen (english). It was stolen because the policemen who drove the car left the keys inside the car after they left it.

A nice example of technological security measures beaten by security unaware human behaviour. You can have all the fancy technological security measures. If people don't know how to use it, it's completly worthless.

OpenID

Mon, 14 Jan 2008 00:00:00 +0000

Google, IBM en Yahoo are interested in using OpenID.

OpenID may look like a good solution because of its ease of use. But OpenID is also dangerous. It's like having the same password for every website. Once your ID gets compromised, the attacker has access to all your accounts.

Clarkson stung after bank prank

Tue, 08 Jan 2008 00:00:00 +0000

This is really hilarious!

Algoritm OV card reverse engineered

Tue, 08 Jan 2008 00:00:00 +0000

At the end of 2007, German hackers reversed engineered the cryptographic algoritm of the NXP Mifare RFID chip. Interesting detail about this chip is that it's used on the Dutch OV (public transport) card (english) which is to be released in 2009.

The security of the OV-card was also based on the secrecy of the used cryptographic algoritm. The chip on the OV-card of course contains this cryptographic algoritm. So when the chip was made available for the public, it was only a matter of time before someone hacks the algoritm.

Good cryptographic algoritms depend on the secrecy of the key(s), not on the secrecy of the algoritm itself. A cryptographic algoritm should therefore be open, so the whole world can test its strength. NXP kept its cryptographic algoritm secret, so it's very likely they hadn't very much convidence in the algoritm themselves.

NXP says there's nothing to worry about, because although the algoritm has been reverse engineered, the encryption key has not been hacked yet. The key length of the algoritm is 48 bits. With modern computers, keys of that length can be cracked within a few hours. We only have to wait for someone who implements the algoritm and starts cracking.

Update (15 jan):
A student of the Radboud University in Nijmegen has been able to duplicate (english) the OV-card.

Update (17 jan):
TNO: close to hacking the OV-card (english)
Rop Gonggrijp about the OV-card (english)

Boeing hacking

Sun, 06 Jan 2008 00:00:00 +0000

The computer network in the passenger compartment of Boeing's 787 Dreamliner, designed to give passengers in-flight internet access, is connected to the plane's control, navigation and communication systems.

A nice example of insecure by design. These kind of design flaws would very likely have been exposed during an audit. It's clear Boeing never had on audit on the design of this aircraft. So you can ask yourself: how safe is this aircraft?

Losing computer data should be made a crime

Sat, 05 Jan 2008 00:00:00 +0000

[quote]Recklessly or repeatedly mishandling personal information should become a criminal offence, a committee of MPs urges today in the wake of the child benefit fiasco.[/quote]

When people are handing data and are not aware of whether it should be handled securely or not or how to even do that, data loss is not prevented by just making it a crime. Instead, you should inform them about information security and how they can help. It's all about security awareness and defining clear policies about how to handle information.

Cameras in underground railway of Rotterdam

Thu, 03 Jan 2008 00:00:00 +0000

The public transport company RET has announced that it will install cameras in the underground railway (english) of Rotterdam. They say "customers have to feel safe".

It has been proven that cameras not automaticly increase security and lower crime rates. A stab with a knife or a pickpocketing can be done in seconds. A camera doesn't prevent that. Specially because you can't watch every inch of a railway station or a train via cameras.

Possible attack on new year party prevented

Thu, 03 Jan 2008 00:00:00 +0000

Three men have been arrested for planning an attack (english) on a new year party on the Erasmus bridge in Rotterdam. According to the Telegraaf (english), the three men planned to kill visitors of the party.

It's good to hear nothing terrible has happened. But this is a good example that terrorist attacks can happen everywhere, not only on airplanes. And compulsory indentification could not have prevented the attack.

Happy New Year

Tue, 01 Jan 2008 00:00:00 +0000

I wish you all lots of safety and privacy in 2008!

Netherlands becoming a police state

Mon, 31 Dec 2007 00:00:00 +0000

According to privacyinternational.org, The Netherlands is doing well on becoming a police state. This is also due to the compulsory indentification, the Electronic Child Dossier and the providing of personal information by Dutch ISPs to BREIN when requested.

Terrorism threat in Belgium

Sat, 22 Dec 2007 00:00:00 +0000

Belgium is in a high state of alert (english) for a terrorist attack, because they hindered an attempt to free a for terrorism convicted Tungasian football pro.

In order to protect the Belgium people, the police forces are on increased alert. To have policemen or soldiers watching crowded areas like airfields or shopping places might make you feel safe, but you should ask yourself: how really can they increase your safety? If terrorists really want to kill people, can they be stopped by some policemen or soldiers on guard? A car bomb, a suicide terrorist with a bomb vest, a handfull of terrorists with automated guns... it's much easier to do then to prevent. The high state of alert is until January 2nd. It's even easier for a terrorist to wait until January 3th.

Hirsch Ballin wants to ban stiletto's

Mon, 17 Dec 2007 00:00:00 +0000

The minister of the Dutch Justice Department wants to ban stiletto's (english). By banning knifes, he is of the opinion that they will be removed from society.

Speeding is not allowed, but people still do it. Stealing is not allowed, but it is still being done. Assaulting people is not allowed, but still many people end up in hospital after being beaten up. And know the minister thinks he can get rid of knifes by just not allowing them.

People who are not afraid to use a knife will problay not be afraid of a law that forbids them to carry one. It's not the law that stops people from doing things, it's the penalty for breaking it. So, I'm really curious about the actual fulfilment of that new law.

Large amount of guns smuggled via Schiphol

Mon, 17 Dec 2007 00:00:00 +0000

Last monday, Oxfam Novib announced that a large amount of guns are being smuggled via Schiphol (english). In 2006 there where more then 2000 cases of gun smuggle via Schiphol.

Isn't it disturbing that innocent passengers are being treated as potential terrorists while the real dangers are overlooked? Because if guns can be smuggled via airplanes, it's also possible to put a timebomb in a suitcase. But again, if terrorists wanted to do that, they would already have done it.