Slashdot Mirror

← Back to Stories (view on slashdot.org)

WSIS Physical Security Cracked

Posted by CowboyNeal on from the watching-the-watchmen dept.

An anonymous reader writes "A group of activists has apparently bypassed physical security checks at the WSIS Meetings. Not only did they bypass the physical security with a fake card, they found the system uses RFID tags to monitor participants -- possibly even who they interact with and their movements through the conference."

13 of 196 comments (clear)

  1. Tracking locations? by fred911 · · Score: 4, Interesting

    In order to track locations to see who's close to who, you need many, many rfid transceivers. Probably so many, so close there'd be other issues (rf issues).

    --
    09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    1. Re:Tracking locations? by interiot · · Score: 2, Interesting

      Read the article, the badges are "passive" in that they only reflect radio waves sent to it. Also, the RF transmitters/sensors are placed only at entrances and pop machines, so attendees weren't tracked really closely, and apparently they can't sense much more than 20 feet away, making RF interference much less of a problem.

  2. Re:huh? by Cumstien · · Score: 3, Interesting

    From a forensic science conference I learned that law enforcement will use supermarket discount cards to place individuals at a particular place and time. You'd better think twice about saving $.79 before whacking an adversary.

  3. Re:'Activist' is such a misnomer by anagama · · Score: 4, Interesting
    What's this WSIS about? It seems you sneer at activists when in fact, they might just be protecting your freedom.
    • It doesn't help that there are several topics of great import but huge controversy. The chief among these is Internet governance. In short: who gets to run the Internet?
      ***
      The United States, Europe and English-speaking partners such as Australia favour the existing private-company organisation, ICANN. Whereas developing nations, China, India, Brazil, South Africa and others all want a recognised international body to run the show, ITU.
    Follow the links back a bit.

    And for posters below who seem unimpressed that a quasi governmental agency can monitor who it is you mingle with, or go to private areas for private discussion - you deserve what you'll get. The internet so far has been a model of a borderless world. But many countries are terrified by this concept - you really want them collecting data, manipulating who the attendees will be to prevent certain individuals from blocking their plans? That's nuts.

    --
    What changed under Obama? Nothing Good
  4. Re:"Bypassed security" by dark404 · · Score: 3, Interesting
    I think the pseudo-slang term you are looking for to describe what they did is, "Social Engineering." Unfortunately, the weakest link in any system of security (real or virtual) is the user. A parallel can easily be drawn from what was done here to the old days of AOL (maybe the current days too, been years since I used AOL) where script kiddies and wanabe hackers would 'phish' (compromise) accounts by impersonating AOL employees and asking people for their passwords over Instant Messages. Of course people FELL for that even with "AOL will NEVER ask for your password" plastered on every IM box on the system.

    We should be able to trust our fellow man, and on many levels we want to trust people. Because of our predisposition to trusting people (when meeting them face to face, obviously on the internet it is a tad different) the unscrupulous take advantage of that trust. On one hand we're too trusting and get taken advantage of, on the other hand we're too untrusting and our society becomes overly unfriendly. Rock and a hard place.

  5. Re:huh? by Geek+of+Tech · · Score: 2, Interesting
    >>> Ok, so these guys "cracked" the system by finding the name of a person, got a fake id, went there, took a picture and walked in.

    Even worse. I think the article said "...a name from the WSIS website of attendees." No cracking, unless you consider surfing the web "cracking".

    --
    Stop the Slashdot effect! Don't read the articles!
  6. Re:"Bypassed security" by ShaunC · · Score: 4, Interesting
    If you RTFA you'll find that what they did was use a fake ID with the name of a real participant to obtain a badge. Nothing very clever about that.
    You'll also find that they should have been required to produce their letter of invitation and a registration number. They had neither, but got in anyway. Perhaps not so much clever as scary, this place is hopping with "important people" and anybody can walk right in with no invite and a fake ID.

    The security at freaking MacWorld was better (or worse, depending on your perspective) than this the last time I went! Unless you got your badge via mail, you had to produce not only your ID but also the credit card that you used to register. Not infallible, but at least a challenge - and Javits wasn't full of diplomats, either.
    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  7. Re:Feels good by cduffy · · Score: 4, Interesting
    It's a security conference. There's a reasonable expectation is that security experts:
    1. Are innately concerned about avoiding unnecessary exposure of personal data (say, by displaying it in such a way that 3rd parties could observe or record personal information about other attendants).
    2. Will be able to use access control which is not circumvented by such a blatantly trivial mechanism as a fake ID.
    3. Will not permit other physical security measures (such as the use of metal sensors) to be trivially circumvented (as by smuggling in items which would not be permitted to be taken in during the conference itself beforehand).

    And so forth. The issue is not necessarily so much that the organizers are hostile as that they're incompetant in the very matter they're holding a conference about.
  8. Re:'Activist' is such a misnomer by Orne · · Score: 4, Interesting

    No, Reactionary is one tick stronger on the scale

    Political Leaning - "Left" to "Right"
    Revolutionary - Liberal - Status Quo - Conservative - Reactionary

    Government Intervention - "Weak" to "Strong"
    Anarchist - Libertarian - Status Quo - Authoritarian

  9. Re:huh? by ParadoxDruid · · Score: 2, Interesting

    This is exactly why my friends and I have started a policy of trading Grocery cards with anyone new that we meet, and encouraging them to do likewise.

    You get the same discount, you get to have some fun trading cards around and stuff, and they can't track you nearly as easily.

    --
    This statement is solely an opinion. Kindly take it as such in all cases.
  10. Re:Feels good by Anonymous Coward · · Score: 1, Interesting

    very believable at MobiComm this year the host hotel's wireless cisco routers were open for non authenticated access through telnet...

    one would have thought that the net admin would have been a little worried when you're network is going to be used by a conveference on mobile computing

  11. Re:[RFID] Late night on slashdot and the nightmare by narratorDan · · Score: 2, Interesting

    They could, but cash changes hands so quickly it would be a lesson in futility. The better idea would be to ban cash (cash is too easy for terrorists to counterfit) and go solely with credit/debit cards which do have RFID tags as part of the smart chip.

    NarratorDan

    --
    "If you're not confused by quantum mechanics, you really don't understand it." - Niels Bohr
  12. Total BS - been there by cocotoni · · Score: 3, Interesting

    The part about RFID tags used for tracking is utter and total BS. In fact yesterday I was at WSIS. I did have the badge, and yes it is marked with a RFID, but the bugger is passive and I had to put it real close to the scanner to read it. I tried to just casualy swipe it from afar, but I had to actualy put it right in front of the reader.

    More on security: at the entrance you walk through metal detector gates, with a X-ray scanner for the bags. You are processed by 4 security guys - one takes your bags, other works the gate and X-ray scanner, third scans your badge and compares your face to picture on the badge to picture in the DB they get based on the RFID tag. All these images have to match. If there is any problem there is the fourth guy standing behind with a rifle.

    Yes - the 1337 h4x0rz could have bypassed this by getting the official badges, because when you have the badge you don't have anything standing in your way. No - they could not have gotten to the bigwigs, because that part of the conference was separated, with stronger security checks, which were obviously not done just at the place, since the bigwigs were escoreted from their mansions, with the whole entourage, and I suppose that you don't expect presidents and prime-ministers to go around carrying badges on the straps around their necks, and walk through the metal-detector gates a few times.

    In fact, the easiest way for "terrorists" to sneak in would be to get listed as active participants by a frendly government of a rogue state.

    I wish that people would concentrate more on the positive results of WSIS, instead of spreading FUD.