Slashdot Mirror
WSIS Physical Security Cracked
An anonymous reader writes "A group of activists has apparently bypassed physical security checks at the WSIS Meetings. Not only did they bypass the physical security with a fake card, they found the system uses RFID tags to monitor participants -- possibly even who they interact with and their movements through the conference."
They are more reactionary than anything, opposing change at all turns.
You could call them anti-activists and it would make more sense.
I have been pwned because my
Huh? If you RTFA you'll find that what they did was use a fake ID with the name of a real participant to obtain a badge. Nothing very clever about that.
Basically the "researchers" represented themselves as being someone else and used a fake (potentially) illegal piece of identification. Doesn't seem clever, just seems fraudulent.
They then go on to speculate about how "data mining" and RFID might be used for all sorts of nasty tricks and end up sounding like a bunch of paranoid crack-pots.
So, if I buy a fake passport on a street corner and then use it enter Germany, did I just "crack" Germany's security and can I get my picture on Slashdot?
John.
The fact that the security was breached is not the most alarming thing about this. Nothing programmed by man is ever completely safe. The scary thing is that people professing to be security concious were bested because of something so simple, and which could have been prevented or easily stopped.
If my answers frighten you, stop asking scary questions.
Though many have criticized this article as not really representing cracking or bypassing security in any impressive manner, I think there is a deeper issue here.
What information of use could be gleaned at future meetings or other UN events? The same people very likely do event security for this and other conferences, and the type of information that could be gleaned or the damage that could be done at other events is something to be taken seriously.
Personally, I despise the UN - but they (through US) are a force in the world and a breach of their security is nothing to laugh at too quickly.
How many roads must a man walk down? 42.
The problem here was one of physical security-all these guys really needed to get started was a name. During the 80's/early 90's, one of the concerns in the security field was also physical security-a hacker posing as a janitor and accessing unsecured systems, or dumpster diving, or using personal connections to get at employees and talk something valuable out of them. I would think that people would have learned by now that it takes more than simple electronic measures to stop "hacking". This could have been prevented if the powers-that-are had made the ID process a little harder.
If my answers frighten you, stop asking scary questions.
begins.
They are going to put these in tires. When you buy your tires the seller is going to be required to enter your information in a database.
One day when you are going a little too fast in a school zone or run a yellow that switches to red too fast an underground computer is going to sense the rfid in your tire, immediately reporting the number via rf link to police headquarters.
You would think that this would be for the purpose of giving you a ticket. You're right, you will get a ticket. But that is not the end the trail for your rfid number.
It immediately gets sent to the state government where it checks to make sure you are not a deadbeat dad that the wherabouts of are unknown. Simultaneously sending it to the FBI to see if you are a name on the "patriot" act watchlist and indexes your location. If you drive on the same street on a regular basis they will know where to find you.
You're not a deadbeatdad, lawbreaker, or terrorist you say??? Well the trail that your rfid number takes does not end there. Your rfid number is sold by cashed-strapped states to a commercial database under the auspices of "risk mitigation" that insurance companies subscribe to. Because you were speeding, you are at an increased risk and your car insurance rates are subsquently raised. Because you drive dangerously, your health insurance rates are also raised. Maybe they cancel your policy outright.
You're thinking I'll just remove the rfid. No you won't. Driving with unregistered tires is against the law, and if the police can't scan you as you drive past his cruiser he pulls you over and immediately suspends your license and impounds your car. But you won't be able to remove it anyway, without destroying the tire, as it is purposefully integrated with the "steel belt".
Does the trail end for your rfid tire number now? No, it most certainly doesn't. To see where it leads further, you are going to have to talk to my patent attorney.
The linux hacker
You can't see the difference between this and a club?
One is a venue which wants to transfer money from your wallet to them in exchange for alcohol and a good time. The government says they aren't allowed to take money from people below a certain age, so they don't let them in. If you have a fake ID, then why would the club care that you choose to spend your money on their product?
One is a venue filled with the heads of governments of numerous countries, government ministers, UN bigwigs (like the Secretary-General), and other such VIPs (in some people's eyes). It doesn't want to sell people a product which the government has decreed you have to be a certain age to have, but possibly wants to stop VIPs being harrassed and bombs being planted.
It's even better than that.
The security at the conference is weak, and they're collecting personal data while they navigate the conference.
I think they've pretty much proven they're the wrong people for the job.
Inconceivable!
> they found the system uses RFID tags to monitor participants -- possibly even
> who they interact with and their movements through the conference.
Or they could just use a camera to follow your movements through the conference and see who you interact with. Nothing new here... move along.
If anyone really wanted to track people by "remotely activating" their RFID tags without them knowing, they would need so many of these close-range readers that you wouldn't be able to walk! Plus you would need to figure out who's who by getting into the "DATABASE" that nobody knows about.
You might as well drop one of these nifty wireless camera in each corner of the room, betcha it would be way more effective for tracking people's whereabouts.
PS/ I hear they (Privacy Enemies) can track me down and see whatever I'm doing only by knowing my IP address!!! pH34r
The problem with any system in place is that when convenience is place ahead of security. The more convenient it is made for the people who it is going to protect and the people who are enforcing the system the less secure it will become. Well at least that is what I think part of the problem is.
Get Movie Posters
This wasn't a technical hack by any means... they brought a fake ID with the name of a real person on the guest list, and they got that person's badge issued to them. From that point on, they had as much clearance as that real person had, not surprising at all.
Just goes to show the inherent insecurity in demanding only a government-issued ID when many governments are involved. Any given state's drivers license has many anti-forgery features, but unless you have an inch-thick book with all of the features of every acceptable ID listed, an international event is gonna have a hard time relying on that alone.
Still, what's newsworthy about this failure? It happened at an important-to-the-Internet event, but it didn't really cause and damage...
His biggest *break-ins* were physically walking into a computer room. Nowadays that is the least talked about security issue. Mitnick does a lot of educating on the topic but a lot of people called him *old fashion*. Well there you go, it happened, and to none other than WSIS. I think you should check those locks on your server rooms again.
The phaomnneil pweor of the hmuan mnid. Fcuknig amzanig eh!
Group of idiots commit fraud to crash an important meeting and discover -- rf tags. Then in sanctimonious puffery they tell the world about it because...
Do you not think the organizers knew there were limits to what they had to spend on security?
Rfid tags have the advantage of not needing an interpreter if the delegate only speaks another tongue.
See who gets painted by the same brush as these jerks, not scientists, not researchers...
"4) These are the people who are deciding how the internet is going to be governed"
Not to get too off-topic, but I don't think that I like the direction that they want to take the Internet. Yes, it spans the globe, but it's something that a lot of private and public American funding went into designing, developing, and maintaining. I understand the need for standards, but I don't think that the U.N. is really right for governing the Internet. They have a hard enough time running peacekeeping missions in European countries, let alone anywhere else in the world, and that's stuff that there has been established methods around for quite some time.
My basic idea is this-- The U.S. had the single largest contribution to the idea of a global information network in the form of the Internet. If the rest of the world wants one of their own, let them create it themselves. There are enough people in enough other countries that if they want to slowly combine into one government with it's own infrastructure, let them. It's called competition, and it's been proven, that when coupled with the right amount of cooperation, to be very good at advancing things. If the U.N. builds their own global information network and it's better than the Internet, people will switch. If it's not, either through information availability problems, or through censorship, then it won't. Seems fairly simple.
Do not look into laser with remaining eye.
Why does everyone think RFID tags can be used to monitor the actions of people?
RFID tags are un-powered. In fact, they are powered by the RF signals that are used to read the RF tag. Because of this RF tags have transmission range of inches.
This is probably another case of "You get what you pay for", but the issues here go beyond simply using a fake ID to breach physical security. The fact that the data needed to fake the ID was culled from the attendee list on the website speaks volumes as to how much thought actually went into the security architecture for this event. I mean, really, someone should of thought of that possibility. Why didn't they verify or vet this identification in some way ?
Another frightening fact is that these jokers' security processes, if you consider the RFIDs as 'security',are violating the laws of both the host country and the EU. This is the biggest issue, IMHO. "Security" also means adhering to all applicable laws and regulations, in order to limit your liability, and the liability of your employer.
And what about these guys walking around snapping photos of the screener's monitors ? Whats up with that ?
The bottom line is that these "security experts" at SportAccess, or wherever, are incompetent. Their security model was ill-conceived, poorly executed, needlessly intrusive and (obviously) completely ineffective.
"Nothing is impossible for the man who refuses to listen to reason"
I'm curious what happened to the person who they pretended to be... were they sick? Just didn't show up? Or when they came did security say, "sorry sir you've already signed in" deemed him a fake and locked the real guy away and are torturing him even as we speak? I dunno curious about that....
When I was in the US Navy, I got to learn a few things that most security experts get to learn the hard and embarrasing way:
1) Security is hard work and requires the involvement of people with great integrity willing to work very hard. Security requires the highest level of attention to detail, trust that proceedures will be followed and absolute trust that when the proceedures don't work, don't apply or are circumvented that the individual will make the right decisions.
2) You cannot delegate security to any machine. This includes padlocks, safes, computers, surveilance systems, and alarm systems. These are all designed to assist the hard working humans with great integrity. They have no ability to make decisions when their processes fail, are circumvented or don't apply.
3) The inclusion of anyone without great integrity inside a secured area is insecure. Loose lips sink ships. This is why security is so difficult in any semi-democratic organization - there is no way to exclude those you can't trust.
4) Confidence is like corrosion. It slowly destroys even the strongest security just as corrosion will eventually sink the most powerful ship in the fleet.
Sounds like WSIS violated three of four of these rules.
-- $G
I suppose that you don't expect presidents and prime-ministers to go around carrying badges on the straps around their necks, and walk through the metal-detector gates a few times.
You know, if there was some kind of law that said all those powerful politicians have to wait in line and go through the security screenings just like us "little people", I bet airport security would be a lot better and more convenient than it is right now. I thought the President was a person, just like you and me. So if I have to wear a badge and go through a metal detector, I think He (whoops, I mean "he") should to.
Politicians making decisions that have no effect on themselves piss me off to no end.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
There are a variety of smart card and RFID standards, and the two are different animals. This "press release" did nothing to clarify what the cards were. If these guys were such amazing hackers we would know if it is a tag or a card and what the make and model are. We would know what was stored on the card and what security was in place on it. Instead we know just about nothing.
This could have been really interesting, but the press release is short on information and long on FUD.
Lasers Controlled Games!