Category: Security

Oyster Card Cracked

NXP sues to silence Oyster researchers

Chipmaker NXP, formerly Philips Semiconductors, is taking Dutch Radboud University to court on Thursday to prevent researchers publishing their controversial report on the Mifare Classic chip.

Recently researchers from Radboud University in Nijmegen revealed they had cracked and cloned Londons Oyster travel card. Earlier this year the researchers did the same to the Dutch MIFARE travel card. This card is to replace paper tickets on all trams, buses, and trains and is already undergoing trials in Rotterdam.

EDRI tells the BOI story like it is…

While the national media treat the story like a tiny little inconvenience and parrot the bank’s line that improper use of the data is unlikely, EDRI tells it like it is in just once sentence:

The personal data of about 10,000 customers of the Bank of Ireland are now in the possession of thieves as four laptops with the unencrypted data were stolen from the bank between June and October 2007.

The laptops were stolen by thieves. Bad people. People that will take every advantage that’s available to them.

Some crossover with the banks there, it seems…

Hackers Publish German Minister’s Fingerprint

They’ll probably be arrested now as terrorists!

Wired: To demonstrate why using fingerprints to secure passports is a bad idea, the German hacker group Chaos Computer Club has published what it says is the fingerprint of Wolfgang Schauble, Germany’s interior minister.

According to CCC, the print of Schauble’s index finger was lifted from a water glass that he used during a panel discussion that he participated in last year at a German university. CCC published the print on a piece of plastic inside 4,000 copies of its magazine Die Datenschleuder that readers can use to impersonate the minister to biometric readers.

Several years ago the CCC published a guide to lifting and reproducing fingerprints.

Security Theatre

I often use the phrase. Here’s one example to explain why.

Washington City Paper: On Aug. 17, 2004, security officials at the Nuclear Regulatory Commission (NRC) started receiving reports of a spree of thefts at agency headquarters in White Flint, Md. About $800 had gone missing in the space of a few hours and it looked like an outside job. Report No. 08-21 described a typical encounter with the unknown suspect.

A little before 2 p.m. the previous day, a woman returned to her office and found a stranger sitting at her desk. According to the report, the uninvited guest was a young African-American woman with straight black hair that hung past her shoulders. She wore black slacks and a white blouse. “I was going to leave you a note,” the stranger said, rising from the chair. She explained that she had a piece of mail for the woman and needed to deliver it in person.

Her supervisor had insisted she get a signature since the parcel was actually addressed to someone else. Oh, and she didn’t have it with her right then. The “whole thing seemed very odd,” the NRC employee later told investigators. Nonetheless, she allowed her visitor to leave without further questions. In a hurry to make a 2 p.m. meeting, she left the office as well.

A few minutes later, the employee’s secretary saw the girl back at her boss’ desk. She wore an NRC badge, turned backward. The young woman explained she needed to leave a note and asked for paper. When the secretary returned with a notepad, the girl had moved closer to a filing cabinet, her back facing the door. She wrote a note and left.

It was an odd interaction for sure, but not quite alarming. But such blasé encounters began to emerge as a pattern as the NRC investigated 11 separate thefts of cash and credit cards. According to incident reports obtained through the Freedom of Information Act, most of the crimes took place between 11:30 a.m. and 2:30 p.m. on Aug. 16 in two heavily secured buildings occupied by the commission on Rockville Pike. The complex is not a tourist destination, as armed guards will inform you. Visitors need to have verifiable business in the building and must provide photo ID. Bags get scanned, people get the metal detector. Employees must show a badge with their photo and job title.

Elsewhere around D.C., at other highly secure federal buildings, similar thefts were causing frustration among security officers. There were reports of missing cash and electronics at the Federal Aviation Administration, the Department of the Treasury, and the Government Accountability Office. The suspect had a keen sense for the weaknesses of office dwellers, even in government offices where employees should know better.

[…]

80 Government Laptops Missing

Digital Rights Ireland: Today’s Irish Independent covers the revelation (via Ruari Quinn’s Dáil questions) that over 80 government laptops – together with other items such as USB keys and Blackberries – have been lost or stolen over the last five years. It appears from the responses to those questions that the laptops weren’t encrypted, but it’s not fully clear what was on each device. We’ve pointed out before that the State’s security standards for personal data appear to be extremely lax – suggesting that it’s essentially a matter of luck that we haven’t had private files compromised on as large a scale as the recent English loss of data on 25 million individuals. The Data Protection Commissioner is already investigating the lax culture within some Government Departments where snooping or sale of personal information is common – but past experience suggests that real change won’t happen unless there is public pressure for it.

I Am The Law

Peruvian riot police outfits. I want one of these for when I feeling evil in my van. :)

Peruvian Riot Police

WordPress 2.3.3 Security Update

Get it upgraded folks, particularly if you’re on one of my servers!

WordPress: WordPress 2.3.3 is an urgent security release. A flaw was found in our XML-RPC implementation such that a specially crafted request would allow any valid user to edit posts of any other user on that blog. In addition to fixing this security flaw, 2.3.3 fixes a few minor bugs. If you are interested only in the security fix, download the fixed version of xmlrpc.php and copy it over your existing xmlrpc.php. Otherwise, you can get the entire release here.

Also, there is a vulnerability in the WP-Forum plugin that is being actively exploited right now. If you are using this plugin, please remove it until an update is available.

Since we are talking security, remember to use strong passwords and change them regularly. While you’re updating WP and your plugins, consider refreshing your passwords.

Kneejerk Politics

Do politicians not understand the phrase “proactive”? Policies like these should have been enacted yonks ago, plus of course the contradiction between these and the data retention crap going on in the UK and around the world is past ridiculous, into the realms of Wizard of Oz territory.

EDRI – New data protection rules asked by UK MPs: The Justice Committee of the UK House of Commons issued on 3 January 2008 a report on public data protection summarising the status and development of the topic, especially since the November 2007 Chancellor’s announcement to the Parliament related to the loss of confidential data records of 25 million people by HM Revenue and Customs.

The report that recommends a data breach notification law, criminal penalties for data controllers that are found responsible for breaching security, greater powers and financing for the Information Commissioner’s Office, follows the line of the recommendations made by the House of Lords Science and Technology Committee in August 2007 that were rejected at that time by the government.

German data retention act challenged

I wonder could you get 30 people to sign a complaint about data retention in Ireland? The lack of interest in privacy and security in our country is an embarrassment.

EDRI: Just five days after the German President Horst Köhler approved the German data retention law that entered into force on 1 January 2008, the German Working group on data retention (Arbeitskreis Vorratsdatenspeicherung) challenged the law in the Federal German Constitutional Court.

The complaint was filed with the Court on 31 December 2007 and, for the first time in the German history, it was backed by 30 000 complainants. The 150-page notice of appeal requested an immediate suspension of the law on the grounds of “apparent unconstitutionality”.

2x U.S. Banks Duped By Phony Cash Couriers

ROFL. I wonder was it the same guy, on a roll. You’ll almost wish he’d get away with it. The banks certainly deserved a kick in the pants for something so ridiculous.

Washington Post: To the annals of creative bank heists add this: Two Washington area banks turned over more than $850,000 in less than 24 hours this week to someone who impersonated a cash courier and claimed to be filling in for the regular guys.

On Wednesday, a man dressed as an armored truck employee with the company AT Systems walked into a BB&T bank in Wheaton about 11 a.m., was handed more than $500,000 in cash and walked out, a source familiar with the case said.

It wasn’t until the actual AT Systems employees arrived at the bank, at 11501 Georgia Ave., the next day that bank officials realized they’d been had. “When the real security guards showed up is when it became known,” said Richard Wolf, a spokesman with the FBI’s Baltimore division.

Not five minutes later or even an hour later, the next day!