Slashdot Mirror
WSIS Physical Security Cracked
An anonymous reader writes "A group of activists has apparently bypassed physical security checks at the WSIS Meetings. Not only did they bypass the physical security with a fake card, they found the system uses RFID tags to monitor participants -- possibly even who they interact with and their movements through the conference."
These people are looking to be put in charge of my Packets, yet they cant even keep a couple of geeks out of a confrence room? I'm sure we'll all feel REALLY safe ordering online with them in charge.
When life gives you crap, Make Crapade.
Sluggy Freelance.
activism PPronunciation Key(kt-vzm)
n.
The use of direct, often confrontational action, such as a demonstration or strike, **in opposition to** or support of a cause
Nope, activist sounds right to me.
I believe the word you're looking for is conservative.
G
I kind of interpret "activist" to mean that they are ...uhh..."active"? whether they are opposing or otherwise.
What?
sidenote: all them kids in the clubs must be great crackers .. I see them "cracked" and "bypassed physical security" all the time .. .. this is slashdot .. no one goes to clubs here ..
.. Wait .. how's this different than any other place that asks for your information .. like Police and Lawyers Love E-ZPass?
oh wait
then they disect the card that were given to them to find out that they have RFID chips but no one seems to know what it does.
Days before the Summit no physical security was available. Anyone could bring anything inside the conference
Yep, it was fairly easy to sneak my tin foil hat in.
except they were walking around and stuff.... neato.
Huh? If you RTFA you'll find that what they did was use a fake ID with the name of a real participant to obtain a badge. Nothing very clever about that.
Basically the "researchers" represented themselves as being someone else and used a fake (potentially) illegal piece of identification. Doesn't seem clever, just seems fraudulent.
They then go on to speculate about how "data mining" and RFID might be used for all sorts of nasty tricks and end up sounding like a bunch of paranoid crack-pots.
So, if I buy a fake passport on a street corner and then use it enter Germany, did I just "crack" Germany's security and can I get my picture on Slashdot?
John.
microwave for 1s
Tsunami -- You can't bring a good wave down!
that geeks are merely terrorists under another name!
In order to track locations to see who's close to who, you need many, many rfid transceivers. Probably so many, so close there'd be other issues (rf issues).
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
The fact that the security was breached is not the most alarming thing about this. Nothing programmed by man is ever completely safe. The scary thing is that people professing to be security concious were bested because of something so simple, and which could have been prevented or easily stopped.
If my answers frighten you, stop asking scary questions.
- It doesn't help that there are several topics of great import but huge controversy. The chief among these is Internet governance. In short: who gets to run the Internet?
Follow the links back a bit.***
The United States, Europe and English-speaking partners such as Australia favour the existing private-company organisation, ICANN. Whereas developing nations, China, India, Brazil, South Africa and others all want a recognised international body to run the show, ITU.
And for posters below who seem unimpressed that a quasi governmental agency can monitor who it is you mingle with, or go to private areas for private discussion - you deserve what you'll get. The internet so far has been a model of a borderless world. But many countries are terrified by this concept - you really want them collecting data, manipulating who the attendees will be to prevent certain individuals from blocking their plans? That's nuts.
What changed under Obama? Nothing Good
Though many have criticized this article as not really representing cracking or bypassing security in any impressive manner, I think there is a deeper issue here.
What information of use could be gleaned at future meetings or other UN events? The same people very likely do event security for this and other conferences, and the type of information that could be gleaned or the damage that could be done at other events is something to be taken seriously.
Personally, I despise the UN - but they (through US) are a force in the world and a breach of their security is nothing to laugh at too quickly.
How many roads must a man walk down? 42.
The problem here was one of physical security-all these guys really needed to get started was a name. During the 80's/early 90's, one of the concerns in the security field was also physical security-a hacker posing as a janitor and accessing unsecured systems, or dumpster diving, or using personal connections to get at employees and talk something valuable out of them. I would think that people would have learned by now that it takes more than simple electronic measures to stop "hacking". This could have been prevented if the powers-that-are had made the ID process a little harder.
If my answers frighten you, stop asking scary questions.
begins.
They are going to put these in tires. When you buy your tires the seller is going to be required to enter your information in a database.
One day when you are going a little too fast in a school zone or run a yellow that switches to red too fast an underground computer is going to sense the rfid in your tire, immediately reporting the number via rf link to police headquarters.
You would think that this would be for the purpose of giving you a ticket. You're right, you will get a ticket. But that is not the end the trail for your rfid number.
It immediately gets sent to the state government where it checks to make sure you are not a deadbeat dad that the wherabouts of are unknown. Simultaneously sending it to the FBI to see if you are a name on the "patriot" act watchlist and indexes your location. If you drive on the same street on a regular basis they will know where to find you.
You're not a deadbeatdad, lawbreaker, or terrorist you say??? Well the trail that your rfid number takes does not end there. Your rfid number is sold by cashed-strapped states to a commercial database under the auspices of "risk mitigation" that insurance companies subscribe to. Because you were speeding, you are at an increased risk and your car insurance rates are subsquently raised. Because you drive dangerously, your health insurance rates are also raised. Maybe they cancel your policy outright.
You're thinking I'll just remove the rfid. No you won't. Driving with unregistered tires is against the law, and if the police can't scan you as you drive past his cruiser he pulls you over and immediately suspends your license and impounds your car. But you won't be able to remove it anyway, without destroying the tire, as it is purposefully integrated with the "steel belt".
Does the trail end for your rfid tire number now? No, it most certainly doesn't. To see where it leads further, you are going to have to talk to my patent attorney.
The linux hacker
The problem with any system in place is that when convenience is place ahead of security. The more convenient it is made for the people who it is going to protect and the people who are enforcing the system the less secure it will become. Well at least that is what I think part of the problem is.
Get Movie Posters
This wasn't a technical hack by any means... they brought a fake ID with the name of a real person on the guest list, and they got that person's badge issued to them. From that point on, they had as much clearance as that real person had, not surprising at all.
Just goes to show the inherent insecurity in demanding only a government-issued ID when many governments are involved. Any given state's drivers license has many anti-forgery features, but unless you have an inch-thick book with all of the features of every acceptable ID listed, an international event is gonna have a hard time relying on that alone.
Still, what's newsworthy about this failure? It happened at an important-to-the-Internet event, but it didn't really cause and damage...
No, Reactionary is one tick stronger on the scale
Political Leaning - "Left" to "Right"
Revolutionary - Liberal - Status Quo - Conservative - Reactionary
Government Intervention - "Weak" to "Strong"
Anarchist - Libertarian - Status Quo - Authoritarian
His biggest *break-ins* were physically walking into a computer room. Nowadays that is the least talked about security issue. Mitnick does a lot of educating on the topic but a lot of people called him *old fashion*. Well there you go, it happened, and to none other than WSIS. I think you should check those locks on your server rooms again.
The phaomnneil pweor of the hmuan mnid. Fcuknig amzanig eh!
Group of idiots commit fraud to crash an important meeting and discover -- rf tags. Then in sanctimonious puffery they tell the world about it because...
Do you not think the organizers knew there were limits to what they had to spend on security?
Rfid tags have the advantage of not needing an interpreter if the delegate only speaks another tongue.
See who gets painted by the same brush as these jerks, not scientists, not researchers...
"4) These are the people who are deciding how the internet is going to be governed"
Not to get too off-topic, but I don't think that I like the direction that they want to take the Internet. Yes, it spans the globe, but it's something that a lot of private and public American funding went into designing, developing, and maintaining. I understand the need for standards, but I don't think that the U.N. is really right for governing the Internet. They have a hard enough time running peacekeeping missions in European countries, let alone anywhere else in the world, and that's stuff that there has been established methods around for quite some time.
My basic idea is this-- The U.S. had the single largest contribution to the idea of a global information network in the form of the Internet. If the rest of the world wants one of their own, let them create it themselves. There are enough people in enough other countries that if they want to slowly combine into one government with it's own infrastructure, let them. It's called competition, and it's been proven, that when coupled with the right amount of cooperation, to be very good at advancing things. If the U.N. builds their own global information network and it's better than the Internet, people will switch. If it's not, either through information availability problems, or through censorship, then it won't. Seems fairly simple.
Do not look into laser with remaining eye.
The World Summit on the Information Society is not a security conference. It is concerned with much broader issues of society and technology. You can find more info here
Simple way of taking care of the RFID tags in this tin hat situation;
Pay cash, (until the gov stops printing it, they must accept it) give them a fake name and phone number (the phone book is full of them), buy or make a RFID reader and locate the tag in the tire and cut that section of the tire out and put it in a microwave for about 30 seconds. DING! The RFID tag is fried, now replace the cutout in the tire and freely run down kids in school crosswalks with the red lights.
Hmm, just read the rest of your post. You're screwed.
NarratorDan
"If you're not confused by quantum mechanics, you really don't understand it." - Niels Bohr
This is probably another case of "You get what you pay for", but the issues here go beyond simply using a fake ID to breach physical security. The fact that the data needed to fake the ID was culled from the attendee list on the website speaks volumes as to how much thought actually went into the security architecture for this event. I mean, really, someone should of thought of that possibility. Why didn't they verify or vet this identification in some way ?
Another frightening fact is that these jokers' security processes, if you consider the RFIDs as 'security',are violating the laws of both the host country and the EU. This is the biggest issue, IMHO. "Security" also means adhering to all applicable laws and regulations, in order to limit your liability, and the liability of your employer.
And what about these guys walking around snapping photos of the screener's monitors ? Whats up with that ?
The bottom line is that these "security experts" at SportAccess, or wherever, are incompetent. Their security model was ill-conceived, poorly executed, needlessly intrusive and (obviously) completely ineffective.
"Nothing is impossible for the man who refuses to listen to reason"
RFID technology automates all this, no need for the cop anymore. No need for visually checking license plates. Suddenly everyone and anyone is tracked.
That is the big difference. The fact that this information will be entered into several hundred databases automatically.
They could, but cash changes hands so quickly it would be a lesson in futility. The better idea would be to ban cash (cash is too easy for terrorists to counterfit) and go solely with credit/debit cards which do have RFID tags as part of the smart chip.
NarratorDan
"If you're not confused by quantum mechanics, you really don't understand it." - Niels Bohr
I'm curious what happened to the person who they pretended to be... were they sick? Just didn't show up? Or when they came did security say, "sorry sir you've already signed in" deemed him a fake and locked the real guy away and are torturing him even as we speak? I dunno curious about that....
As part of physical security testing, my colleagues have successfully gained access to premises using
- a white sachet of tartare sauce
- a square-cut jam sandwich
It's difficult enough getting security guards to turn up for work on the minimum wage, let alone actually *challenge* people.When I am king, you will be first against the wall.
The part about RFID tags used for tracking is utter and total BS. In fact yesterday I was at WSIS. I did have the badge, and yes it is marked with a RFID, but the bugger is passive and I had to put it real close to the scanner to read it. I tried to just casualy swipe it from afar, but I had to actualy put it right in front of the reader.
More on security: at the entrance you walk through metal detector gates, with a X-ray scanner for the bags. You are processed by 4 security guys - one takes your bags, other works the gate and X-ray scanner, third scans your badge and compares your face to picture on the badge to picture in the DB they get based on the RFID tag. All these images have to match. If there is any problem there is the fourth guy standing behind with a rifle.
Yes - the 1337 h4x0rz could have bypassed this by getting the official badges, because when you have the badge you don't have anything standing in your way. No - they could not have gotten to the bigwigs, because that part of the conference was separated, with stronger security checks, which were obviously not done just at the place, since the bigwigs were escoreted from their mansions, with the whole entourage, and I suppose that you don't expect presidents and prime-ministers to go around carrying badges on the straps around their necks, and walk through the metal-detector gates a few times.
In fact, the easiest way for "terrorists" to sneak in would be to get listed as active participants by a frendly government of a rogue state.
I wish that people would concentrate more on the positive results of WSIS, instead of spreading FUD.
I'm a delegate to WSIS, so I've been here for going on three days...
First, the security here is quite interesting...as other posters have mentioned, getting into the actual facility is more or less impossible without the proper badge. The exploit that these individuals used was to simply trick the badging desk - a location right next door manned (mostly) by teenage girls. I highly doubt that they're trained security professionals.
Two, the RFID badge has a range of about an inch. If there are transponders all over the place, I have yet to see them. The physical layout of the building would kaie it difficult to place them inconspicuously...there's far too much open space, with thirty foot ceilings...
Just my two cents (CHF)...
When I was in the US Navy, I got to learn a few things that most security experts get to learn the hard and embarrasing way:
1) Security is hard work and requires the involvement of people with great integrity willing to work very hard. Security requires the highest level of attention to detail, trust that proceedures will be followed and absolute trust that when the proceedures don't work, don't apply or are circumvented that the individual will make the right decisions.
2) You cannot delegate security to any machine. This includes padlocks, safes, computers, surveilance systems, and alarm systems. These are all designed to assist the hard working humans with great integrity. They have no ability to make decisions when their processes fail, are circumvented or don't apply.
3) The inclusion of anyone without great integrity inside a secured area is insecure. Loose lips sink ships. This is why security is so difficult in any semi-democratic organization - there is no way to exclude those you can't trust.
4) Confidence is like corrosion. It slowly destroys even the strongest security just as corrosion will eventually sink the most powerful ship in the fleet.
Sounds like WSIS violated three of four of these rules.
-- $G
Isn't the UK already thinking of taxing every car "seen" on key roads once a day, every day they show up?
Noppe, not thinking of it - in the "congestion zone" of London they are already DOING this!
----------------------------------- My Other Sig Is Hilarious -----------------------------------
In short, the photos show a group that appears to know how to spend a lot of money on toys, but doesn't know how to use them. I think this is a serious concern. The information they are collecting isn't providing security, and could actually undermine it.
The illusion of security is worse than no security at all.