This threat brought to you by RFID

By Dan Goodin in San Francisco • The Register

Computer scientists in Britain have uncovered weaknesses in electronic passports issued by the US, UK, and some 50 other countries that allow attackers to trace the movements of individuals as they enter or exit buildings.

The so-called traceability attack is not the only exploit of an e-passport that allows attackers to remotely track a given credential in real time without first knowing the cryptographic keys that protect it, the scientists from University of Birmingham said. What’s more, RFID, or radio-frequency identification, data in the passports can’t be turned off, making the threat persistent unless the holder shields the government-mandated identity document in a special pouch.

“A traceability attack does not lead to the compromise of all data on the tag, but it does pose a very real threat to the privacy of anyone that carries such a device,” the authors, Tom Chothia and Vitaliy Smirnov, wrote. “Assuming that the target carried their passport on them, an attacker could place a device in a doorway that would detect when the target entered or left a building.”

To exploit the weakness, attackers would need to observe the targeted passport as it interacted with an authorized RFID reader at a border crossing or other official location. They could then build a special device that detects the credential each time it comes into range. The scientists estimated the device could have a reach of about 20 inches.

“This would make it easy to eavesdrop on the required message from someone as they used their passport at, for instance, a customs post,” the authors wrote.

The attack works by recording the unique message sent between a particular passport and an official RFID reader and later replaying it within range of the special device. By measuring the time it takes the device to respond, attackers can determine whether the targeted passport is within range. In the case of e-passports from France, the process is even easier: electronic credentials from that country will return the error message “6A80: Incorrect parameters” if the targeted person is in range and “6300: no information given” if the person is not.

The research is only the latest to identify the risks of embedding RFID tags into passports and other identification documents. Last year, information-security expert Chris Paget demonstrated a low-cost mobile platform that surreptitiously sniffs the unique digital identifiers in US passport cards and next-generation drivers licenses. Among other things, civil liberties advocates have warned that those identifiers could be recorded at political demonstrations or other gatherings so police or private citizens could later determine whether a given individual attended.

To be sure, the practicality of traceability attacks is more limited because a targeted passport first must be observed within range of a legitimate reader. But once this hurdle is cleared – as would be relatively easy for unscrupulous government bureaucrats to do – the attack becomes a viable way to track a target.

Chothia and Smirnov of the University of Birmingham’s School of Computer Science said the security hole can be closed by standardizing error messages and “padding” response times in future e-passports. But that will do nothing to protect holders of more than 30 million passports from more than 50 countries who are vulnerable now, they said.

And that’s sure to fuel criticism of RFID-enabled identification.

“This is a great example of why e-passports are a bad idea,” Paget wrote in an email to The Register. “It’s simply too expensive to replace vulnerable documents (especially when they have a 10-year lifespan) in response to legitimate security concerns, regardless of their severity. People will continue to poke holes in e-passports; without a mechanism to fix those problems there’s a strong argument that’s we’re better off without the RFID.”

The FBI says the used an image found on Google of Spanish lawmaker Gasper Llamazares, right, to create a digitally altered photo of what an aged Osama bin Laden might look like, as reported by El Mundo. Madrid, Spain – A Spanish lawmaker says he was stunned to find that the FBI used his photograph as part of a digitally enhanced image showing what Osama bin Laden might look like today.

Gaspar Llamazares says he would no longer feel safe in the U.S. after his hair and other features appeared on a wanted poster showing an older bin Laden on a U.S. government Web site rewardsforjustice.net. A reward of up to $25 million is offered.

Spanish newspaper El Mundo, which noted the similarities between the bin Laden composite and Mr. Llamazares, quotes FBI spokesman Ken Hoffman as acknowledging that the agency used a picture of Llamazares taken from Google Images for the digitally altered image of bin Laden.

The photo appeared on a U.S. State Department Web site rewardsforjustice.net, where a reward of up to $25 million is offered for bin Laden, wanted in the Sept. 11, 2001 attacks and the 1998 U.S. embassy bombings in Tanzania and Kenya.

Llamazares said he planned to ask the U.S. government for an explanation and reserved the right to take legal action.

FBI headquarters in Washington did not respond immediately when asked for comment Saturday, requesting that questions be sent to them by e-mail. The State Department told a reporter to call back Tuesday after the U.S. federal holiday on Monday.

Llamazares said he couldn’t believe it when he was first told about the similarity, but he quickly realized the seriousness of the situation.

The 52-year-old politician said he would not feel safe traveling in the U.S. now, because many airports use biometrics technology that compares the physical characteristics of travelers to passport or other photographs.

“I have no similarity, physically or ideologically, to the terrorist bin Laden,” he said.

They do share on characteristic — both are 52.

Jose Morales, spokesman for Llamazares’ party, told the Associated Press that no one in Spain had any idea that important security computer images such as the retouched bin Laden photo were built up from photographs of real people. Llamazares, the former leader of his party, was elected to Spain’s parliament in 2000.

Llamazares said it was worrying to see elite security services like the FBI resorting to such sloppy techniques, especially in the light of recent security alerts like the attempted Christmas Day bombing of a Detroit-bound airplane.

“It might provoke mirth, but it demonstrates that what we’re seeing from security services isn’t exactly recommendable,” he said.

Bin Laden is believed to be hiding in the lawless Pakistan frontier bordering Afghanistan. His exact whereabouts have been unknown since late 2001, when he and some bodyguards slipped out of the Tora Bora mountains, evading air strikes, U.S. special forces and Afghan militias.

The U.S. State Department Web site shows the photos and bounty on bin Laden and 41 others wanted for terrorism.

http://www.thestar.com/news/world/article/744199—israelification-high-security-little-bother
The ‘Israelification’ of airports: High security, little bother
Cathal Kelly Staff Reporter 

Voyeurism Security

While North America’s airports groan under the weight of another sea-change in security protocols, one word keeps popping out of the mouths of experts: Israelification.

That is, how can we make our airports more like Israel’s, which deal with far greater terror threat with far less inconvenience.

“It is mindboggling for us Israelis to look at what happens in North America, because we went through this 50 years ago,” said Rafi Sela, the president of AR Challenges, a global transportation security consultancy. He’s worked with the RCMP, the U.S. Navy Seals and airports around the world.

“Israelis, unlike Canadians and Americans, don’t take s— from anybody. When the security agency in Israel (the ISA) started to tighten security and we had to wait in line for — not for hours — but 30 or 40 minutes, all hell broke loose here. We said, ‘We’re not going to do this. You’re going to find a way that will take care of security without touching the efficiency of the airport.”

That, in a nutshell is “Israelification” – a system that protects life and limb without annoying you to death. 
Despite facing dozens of potential threats each day, the security set-up at Israel’s largest hub, Tel Aviv’s Ben Gurion Airport, has not been breached since 2002, when a passenger mistakenly carried a handgun onto a flight. How do they manage that?

“The first thing you do is to look at who is coming into your airport,” said Sela.

The first layer of actual security that greets travellers at Tel Aviv’s Ben Gurion International Airport is a roadside check. All drivers are stopped and asked two questions: How are you? Where are you coming from?

“Two benign questions. The questions aren’t important. The way people act when they answer them is,” Sela said.

Officers are looking for nervousness or other signs of “distress” — behavioural profiling. Sela rejects the argument that profiling is discriminatory.

“The word ‘profiling’ is a political invention by people who don’t want to do security,” he said. “To us, it doesn’t matter if he’s black, white, young or old. It’s just his behaviour. So what kind of privacy am I really stepping on when I’m doing this?”

Once you’ve parked your car or gotten off your bus, you pass through the second and third security perimeters.
Armed guards outside the terminal are trained to observe passengers as they move toward the doors, again looking for odd behaviour. At Ben Gurion’s half-dozen entrances, another layer of security are watching. At this point, some travellers will be randomly taken aside, and their person and their luggage run through a magnometer.

“This is to see that you don’t have heavy metals on you or something that looks suspicious,” said Sela.
You are now in the terminal. As you approach your airline check-in desk, a trained interviewer takes your passport and ticket. They ask a series of questions: Who packed your luggage? Has it left your side?

“The whole time, they are looking into your eyes — which is very embarrassing. But this is one of the ways they figure out if you are suspicious or not. It takes 20, 25 seconds,” said Sela.

Lines are staggered. People are not allowed to bunch up into inviting targets for a bomber who has gotten this far.

At the check-in desk, your luggage is scanned immediately in a purpose-built area. Sela plays devil’s advocate — what if you have escaped the attention of the first four layers of security, and now try to pass a bag with a bomb in it?

“I once put this question to Jacques Duchesneau (the former head of the Canadian Air Transport Security Authority): say there is a bag with play-doh in it and two pens stuck in the play-doh. That is ‘Bombs 101′ to a screener.. I asked Ducheneau, ‘What would you do?’ And he said, ‘Evacuate the terminal.’ And I said, ‘Oh. My. God.’

“Take Pearson. Do you know how many people are in the terminal at all times? Many thousands. Let’s say I’m (doing an evacuation) without panic — which will never happen. But let’s say this is the case. How long will it take? Nobody thought about it. I said, ‘Two days.’”

A screener at Ben-Gurion has a pair of better options.
First, the screening area is surrounded by contoured, blast-proof glass that can contain the detonation of up to 100 kilos of plastic explosive. Only the few dozen people within the screening area need be removed, and only to a point a few metres away.

Second, all the screening areas contain ‘bomb boxes’. If a screener spots a suspect bag, he/she is trained to pick it up and place it in the box, which is blast proof. A bomb squad arrives shortly and wheels the box away for further investigation.

“This is a very small simple example of how we can simply stop a problem that would cripple one of your airports,” Sela said.

Five security layers down: you now finally arrive at the only one which Ben-Gurion Airport shares with Pearson — the body and hand-luggage check.

“But here it is done completely, absolutely 180 degrees differently than it is done in North America,” Sela said.
“First, it’s fast — there’s almost no line. That’s because they’re not looking for liquids, they’re not looking at your shoes. They’re not looking for everything they look for in North America. They just look at you,” said Sela. 

“Even today with the heightened security in North America, they will check your items to death. But they will never look at you, at how you behave. They will never look into your eyes … and that’s how you figure out the bad guys from the good guys.”

That’s the process — six layers, four hard, two soft. The goal at Ben-Gurion is to move fliers from the parking lot to the airport lounge in a maximum of 25 minutes.
This doesn’t begin to cover the off-site security net that failed so spectacularly in targeting would-be Flight 253 bomber Umar Farouk Abdulmutallab — intelligence. In Israel, Sela said, a coordinated intelligence gathering operation produces a constantly evolving series of threat analyses and vulnerability studies. 

“There is absolutely no intelligence and threat analysis done in Canada or the United States,” Sela said. “Absolutely none.”

But even without the intelligence, Sela maintains, Abdulmutallab would not have gotten past Ben Gurion Airport’s behavioural profilers.

So. Eight years after 9/11, why are we still so reactive, so un-Israelified?

Working hard to dampen his outrage, Sela first blames our leaders, and then ourselves.

“We have a saying in Hebrew that it’s much easier to look for a lost key under the light, than to look for the key where you actually lost it, because it’s dark over there. That’s exactly how (North American airport security officials) act,” Sela said. “You can easily do what we do. You don’t have to replace anything. You have to add just a little bit — technology, training.. But you have to completely change the way you go about doing airport security. And that is something that the bureaucrats have a problem with. They are very well enclosed in their own concept.”

And rather than fear, he suggests that outrage would be a far more powerful spur to provoking that change.
“Do you know why Israelis are so calm ? We have brutal terror attacks on our civilians and still, life in Israel is pretty good. The reason is that people trust their defence forces, their police, their response teams and the security agencies.

They know they’re doing a good job. You can’t say the same thing about Americans and Canadians. They don’t trust anybody,” Sela said. “But they say,… ‘ So far, so good…’ Then if something happens, all hell breaks loose and you’ve spent eight hours in an airport. Which is ridiculous. Not justifiable

“But, what can you do? Americans and Canadians are nice people and they will do anything because they were told to do so and because they don’t know any different.”

The Phnom Penh Post
Chrann Chamroeun and Mom Kunthear

Police arrest group after catching one suspect wearing a fake two-star general’s uniform

SEVEN people were sent to Ratanakkiri provincial court on Wednesday after they were found with forged government documents and fake military police uniforms, a provincial military police chief told the Post.

Tuy Sim, Ratanakkiri provincial Military Police chief, said his officials had arrested the group after one of its members was caught wearing a fake general’s uniform.

——————————————————————————–
…when he began to panic they suspected him and took them to the police station.
——————————————————————————–

“Our men had lunch with [one of the suspects] and he was wearing casual clothes, and then later in the day they saw him wearing a two-star general’s military police uniform travelling to a pagoda in a Mitsubishi car with six other people,” Tuy Sim said.

He added that upon raiding the car, police found a gun, four other uniforms and forged documents, including one with the signature of Prime Minister Hun Sen and another that was signed by Minister of Agriculture Chan Sarun.

“They asked him for his name and which unit he came from, and when he began to panic, they suspected him and took them to the police station,” he said.

Illegal logging suspected
Pen Bonnar, provincial coordinator for the rights group Adhoc, told the Post Wednesday that he welcomed the arrests because he believed the group was likely involved in illegal logging.

“I request that authorities further investigate the group, as we have found that a lot of people who have fake police uniforms and forged documents are involved in illegal logging.”

By Jonathan Kent,  BBC News, Kuala Lumpur

Police in Malaysia are hunting for members of a violent gang who chopped off a car owner’s finger to get round the vehicle’s hi-tech security system.

The car, a Mercedes S-class, was protected by a fingerprint recognition system.

Accountant K Kumaran’s ordeal began when he was run down by four men in a small car as he was about to get into his Mercedes in a Kuala Lumpur suburb.

The gang, armed with long machetes, demanded the keys to his car.

It is worth around $75,000 second-hand on the local market, where prices are high because of import duties.

Stripped naked

The attackers forced Mr Kumaran to put his finger on the security panel to start the vehicle, bundled him into the back seat and drove off.

But having stripped the car, the thieves became frustrated when they wanted to restart it. They found they again could not bypass the immobiliser, which needs the owner’s fingerprint to disarm it.

They stripped Mr Kumaran naked and left him by the side of the road – but not before cutting off the end of his index finger with a machete.

Police believe the gang is responsible for a series of thefts in the area.

Published: 6:44PM Monday September 21, 2009
Source: ONE News

New technology designed to prevent identity fraud is sparking “big brother”-like concerns.
Legislation being debated in parliament will allow Immigration New Zealand to use biometric checking to stop those who are not who they claim they are from crossing borders illegally.
But there are fears these new powers will be extended to other arms of the state.

ONE NewsAn example of biometric testing

The shape of your face, the width of your nose, iris patterns, fingerprints, the way you walk, even the way you type are unique characteristics.
It is information governments around the world are keen to collect, says Michael Bott from the Council for Civil Liberties.
“The more information the state has about you, the more they can track your movements and control you. Knowledge is power,” he says.
From the end of 2009, New Zealanders and Australians with electronic passports will have the option of using SmartGate to get through customs quickly. Your image is checked against the biometric identity data chip in your e-passport.
Advertisement
“This technology will actually pinpoint multiple points on cheekbones, nose and eye and if the distance is fractionally out it will go ‘this is not the person’,” says Customs Minister Maurice Williamson.
Under new immigration legislation making its way through parliament on Tuesday, anyone arriving in New Zealand will be required to provide biometric data.
Immigration New Zealand says biometrics could have prevented a man allegedly linked to the September 11 attackers from crossing the border. He spent four months in New Zealand before being deported.
“We, along with every other country, have been the victim of identity fraud and identity crime,” says Immigration Identity Programme Manager Aaron Baker .
ONE News has been told New Zealand has joined Canada, Britain, Australia and the United States to work more closely on managing entry visas.
Three of those countries have agreed to share biometric information. New Zealand has not yet, but is likely to do so.
Privacy concerns
A report obtained by ONE News has highlighted some of the potential threats to privacy if biometric information is shared too widely.
The new legislation allows immigration to share data with other departments if a migrant or visitor applies for a taxpayer funded service like hospital treatment.
Privacy Commissioner Marie Schroff would like to see more details around how there will be protections around that information.
There are also concerns a law that allows one government agency to collect biometric data will allow others to follow.
Overseas, the technology is already used to check the identities of drivers, prison visitors and welfare beneficiaries.
Biometric technology is becoming more sophisticated. However, there are genuine fears that the rights of citizens to privacy will be left behind as technology advances.