Security

Hackers Publish German Minister’s Fingerprint

They’ll probably be arrested now as terrorists!

Wired: To demonstrate why using fingerprints to secure passports is a bad idea, the German hacker group Chaos Computer Club has published what it says is the fingerprint of Wolfgang Schauble, Germany’s interior minister.

According to CCC, the print of Schauble’s index finger was lifted from a water glass that he used during a panel discussion that he participated in last year at a German university. CCC published the print on a piece of plastic inside 4,000 copies of its magazine Die Datenschleuder that readers can use to impersonate the minister to biometric readers.

Several years ago the CCC published a guide to lifting and reproducing fingerprints.

Security Theatre

I often use the phrase. Here’s one example to explain why.

Washington City Paper: On Aug. 17, 2004, security officials at the Nuclear Regulatory Commission (NRC) started receiving reports of a spree of thefts at agency headquarters in White Flint, Md. About $800 had gone missing in the space of a few hours and it looked like an outside job. Report No. 08-21 described a typical encounter with the unknown suspect.

A little before 2 p.m. the previous day, a woman returned to her office and found a stranger sitting at her desk. According to the report, the uninvited guest was a young African-American woman with straight black hair that hung past her shoulders. She wore black slacks and a white blouse. “I was going to leave you a note,” the stranger said, rising from the chair. She explained that she had a piece of mail for the woman and needed to deliver it in person.

Her supervisor had insisted she get a signature since the parcel was actually addressed to someone else. Oh, and she didn’t have it with her right then. The “whole thing seemed very odd,” the NRC employee later told investigators. Nonetheless, she allowed her visitor to leave without further questions. In a hurry to make a 2 p.m. meeting, she left the office as well.

A few minutes later, the employee’s secretary saw the girl back at her boss’ desk. She wore an NRC badge, turned backward. The young woman explained she needed to leave a note and asked for paper. When the secretary returned with a notepad, the girl had moved closer to a filing cabinet, her back facing the door. She wrote a note and left.

It was an odd interaction for sure, but not quite alarming. But such blasé encounters began to emerge as a pattern as the NRC investigated 11 separate thefts of cash and credit cards. According to incident reports obtained through the Freedom of Information Act, most of the crimes took place between 11:30 a.m. and 2:30 p.m. on Aug. 16 in two heavily secured buildings occupied by the commission on Rockville Pike. The complex is not a tourist destination, as armed guards will inform you. Visitors need to have verifiable business in the building and must provide photo ID. Bags get scanned, people get the metal detector. Employees must show a badge with their photo and job title.

Elsewhere around D.C., at other highly secure federal buildings, similar thefts were causing frustration among security officers. There were reports of missing cash and electronics at the Federal Aviation Administration, the Department of the Treasury, and the Government Accountability Office. The suspect had a keen sense for the weaknesses of office dwellers, even in government offices where employees should know better.

[…]

80 Government Laptops Missing

Digital Rights Ireland: Today’s Irish Independent covers the revelation (via Ruari Quinn’s Dáil questions) that over 80 government laptops – together with other items such as USB keys and Blackberries – have been lost or stolen over the last five years. It appears from the responses to those questions that the laptops weren’t encrypted, but it’s not fully clear what was on each device. We’ve pointed out before that the State’s security standards for personal data appear to be extremely lax – suggesting that it’s essentially a matter of luck that we haven’t had private files compromised on as large a scale as the recent English loss of data on 25 million individuals. The Data Protection Commissioner is already investigating the lax culture within some Government Departments where snooping or sale of personal information is common – but past experience suggests that real change won’t happen unless there is public pressure for it.

WordPress 2.3.3 Security Update

Get it upgraded folks, particularly if you’re on one of my servers!

WordPress: WordPress 2.3.3 is an urgent security release. A flaw was found in our XML-RPC implementation such that a specially crafted request would allow any valid user to edit posts of any other user on that blog. In addition to fixing this security flaw, 2.3.3 fixes a few minor bugs. If you are interested only in the security fix, download the fixed version of xmlrpc.php and copy it over your existing xmlrpc.php. Otherwise, you can get the entire release here.

Also, there is a vulnerability in the WP-Forum plugin that is being actively exploited right now. If you are using this plugin, please remove it until an update is available.

Since we are talking security, remember to use strong passwords and change them regularly. While you’re updating WP and your plugins, consider refreshing your passwords.

Kneejerk Politics

Do politicians not understand the phrase “proactive”? Policies like these should have been enacted yonks ago, plus of course the contradiction between these and the data retention crap going on in the UK and around the world is past ridiculous, into the realms of Wizard of Oz territory.

EDRI – New data protection rules asked by UK MPs: The Justice Committee of the UK House of Commons issued on 3 January 2008 a report on public data protection summarising the status and development of the topic, especially since the November 2007 Chancellor’s announcement to the Parliament related to the loss of confidential data records of 25 million people by HM Revenue and Customs.

The report that recommends a data breach notification law, criminal penalties for data controllers that are found responsible for breaching security, greater powers and financing for the Information Commissioner’s Office, follows the line of the recommendations made by the House of Lords Science and Technology Committee in August 2007 that were rejected at that time by the government.

German data retention act challenged

I wonder could you get 30 people to sign a complaint about data retention in Ireland? The lack of interest in privacy and security in our country is an embarrassment.

EDRI: Just five days after the German President Horst Köhler approved the German data retention law that entered into force on 1 January 2008, the German Working group on data retention (Arbeitskreis Vorratsdatenspeicherung) challenged the law in the Federal German Constitutional Court.

The complaint was filed with the Court on 31 December 2007 and, for the first time in the German history, it was backed by 30 000 complainants. The 150-page notice of appeal requested an immediate suspension of the law on the grounds of “apparent unconstitutionality”.

2x U.S. Banks Duped By Phony Cash Couriers

ROFL. I wonder was it the same guy, on a roll. You’ll almost wish he’d get away with it. The banks certainly deserved a kick in the pants for something so ridiculous.

Washington Post: To the annals of creative bank heists add this: Two Washington area banks turned over more than $850,000 in less than 24 hours this week to someone who impersonated a cash courier and claimed to be filling in for the regular guys.

On Wednesday, a man dressed as an armored truck employee with the company AT Systems walked into a BB&T bank in Wheaton about 11 a.m., was handed more than $500,000 in cash and walked out, a source familiar with the case said.

It wasn’t until the actual AT Systems employees arrived at the bank, at 11501 Georgia Ave., the next day that bank officials realized they’d been had. “When the real security guards showed up is when it became known,” said Richard Wolf, a spokesman with the FBI’s Baltimore division.

Not five minutes later or even an hour later, the next day!

The Airport Security Follies

Brilliant blog piece by author and pilot Patrick Smith in the Times. Somebody’s been reading Bruce Scheier.

New York Times Blog: Six years after the terrorist attacks of 2001, airport security remains a theater of the absurd. The changes put in place following the September 11th catastrophe have been drastic, and largely of two kinds: those practical and effective, and those irrational, wasteful and pointless.

The first variety have taken place almost entirely behind the scenes. Explosives scanning for checked luggage, for instance, was long overdue and is perhaps the most welcome addition. Unfortunately, at concourse checkpoints all across America, the madness of passenger screening continues in plain view. It began with pat-downs and the senseless confiscation of pointy objects. Then came the mandatory shoe removal, followed in the summer of 2006 by the prohibition of liquids and gels. We can only imagine what is next.

To understand what makes these measures so absurd, we first need to revisit the morning of September 11th, and grasp exactly what it was the 19 hijackers so easily took advantage of. Conventional wisdom says the terrorists exploited a weakness in airport security by smuggling aboard box-cutters. What they actually exploited was a weakness in our mindset — a set of presumptions based on the decades-long track record of hijackings.

[…]

Colossus Is Back Baby!

No, I haven’t put all that weight back on again. This is the Colossus that cracked German ciphers during WWII, rebuilt over an incredible 14 years in Bletchley Park. Valves an’ all!

I’m going to London in February to buy a whole new set of clothes, so poor old T is going to be dragged all the way to Milton Keynes. :)

Colossus