[SecurityRatty] tag: passport

on HITB 2008 Conference

Mon, 27 Oct 2008 07:48:00 +0000

Not to pretend to steal Halvar Flake's glory, but I just got my own "fun" international travel story, which also spells bad news to those who wanted to hear my fun keynote at Hack In The Box 2008 in Kuala Lumpur, Malaysia.

To make the short story ... even shorter :-), I got kicked off my flight since my passport is only valid 5.5 months in the future and Malaysia requires that visitors' passports are valid for 6 months from the date of arrival (not that they make it anywhere near clear on their embassy website or anything :-)).

What makes it funnier is that I got so used to US dates of month/day/year that I actually was genuinely shocked when they said "you passport is not valid for 6 months" while it clearly said "Expires on 8/4/2009" ...

So much for Kuala Lumpur :-( Back to work now.

Researchers find problems with RFID passport cards

Thu, 23 Oct 2008 20:00:00 +0000

RFID tags used in two new types of border-crossing documents in the U.S. are vulnerable to snooping and copying, a researcher said on Thursday.

How To Disable Your Passport's RFID Chip

Fri, 17 Oct 2008 16:20:01 +0000

All passports issued by the US State Department after have always-on RFID chips, making it easy for officials – and hackers – to grab your personal stats.

How To Disable Your Passport's RFID Chip

Fri, 17 Oct 2008 16:20:01 +0000

All passports issued by the US State Department after have always-on RFID chips, making it easy for officials – and hackers – to grab your personal stats.

The Importance of Advance Planning in Executive Protection

Sun, 12 Oct 2008 16:10:00 +0000

I was delighted to see the Herald Standard quoting an executive/close protection agent regarding the importance of Advance work.

Sy Alli is an E.P./C.P. team leader for "Limited Brands Inc.," and was speaking at the California University of Pennsylvania's 2nd annual conference on Corporate and Homeland Security.

Mr. Alli was describing a previous trip to Indonesia where he was in charge of the advance to make sure everything was in place before the Principal arrived out with the other protective agents. Very accurately, he described the need to cover every minute detail from the routes of travel to the alternative routes and to include such important features as local hospitals should medical treatment be needed.

Another important point highlighted was the need for agents to have access to contacts in different countries who could assist with logistics, general and specialized support on the ground, current political situations, etc.

Far too often I am approached by security persons (and not even all are qualified/trained in executive or close protection)who find out that we may have overseas work and want to be included. On some occassions, those requesting to be included on the detail did not even have a current passport!

If you are serious about making a career out of this line of work, you owe it to yourself to do your homework. Over the years I have developed hundreds of contacts all over the world who will respond immediately and who can be trusted to support us in any number of situations and scenarios.

This took a lot of preparing and involved constant contact. It is not something that you throw together a day before your client is scheduled to arrive in a country. If you have people in different parts of the country, or world if you wish to work globally, who can assist when you are in need, you will be able to facilitate your client in a way that will not only gain his/her admiration, but will undoubtedly cement your position in that client's security detail.

In these unsure times, there is a lot to be said for knowing your job is safe for the foreseeable future.

RFID passport hack has scanner seeing visions of Elvis

Fri, 03 Oct 2008 11:53:07 +0000

Building on a security researcher's description of a method of hacking passport RFID chips (and using some of that researcher's code) a group has described how to insert arbitrary data into key fields—in this case, Elvis' personal info.

RFID passport hack has scanner seeing visions of Elvis

Fri, 03 Oct 2008 11:53:07 +0000

How to Clone and Modify E-Passports

Tue, 30 Sep 2008 08:24:51 +0000

The Hackers Choice has released a tool allowing people to clone and modify electronic passports.

The problem is self-signed certificates.

A CA is not a great solution:

Using a Certification Authority (CA) could solve the attack but at the same time introduces a new set of attack vectors:
The CA becomes a single point of failure. It becomes the juicy/high-value target for the attacker. Single point of failures are not good. Attractive targets are not good.
Any person with access to the CA key can undetectably fake passports. Direct attacks, virus, misplacing the key by accident (the UK government is good at this!) or bribery are just a few ways of getting the CA key.

The single CA would need to be trusted by all governments. This is not practical as this means that passports would no longer be a national matter.

Multiple CA's would not work either. Any country could use its own CA to create a valid passport of any other country. Read this sentence again: Country A can create a passport data set of Country B and sign it with Country A's CA key. The terminal will validate and display the information as data from Country B.This option also multiplies the number of 'juicy' targets. It makes it also more likely for a CA key to leak.

Revocation lists for certificates only work when a leak/loss is detected. In most cases it will not be detected.

So what's the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job 'assessing' the person and not just the passport. Take the human part away and passport security falls apart.

John McCain: Desperate and Reckless

Fri, 26 Sep 2008 14:54:27 +0000

Normally I would not blog about political topics here, but this is an extraordinary time in history and extraordinary times call for extraordinary posts from time-to-time.

John McCain is, objectively, a bad decision maker, desperate and reckless. He knows that his party is in trouble and that the Democrats have the advantage; so what does he do?

First, he picks a very conservative, inexperienced female governor from Alaska who, until recently, did not even have a US passport, as his running mate. This was an obvious act of desperation, thinking that he could pull the Hillary votes in the election. A heartbeat from the US Presidency at a time when there are two ongoing wars and our country on the verge of economic collapse and he gambles with a “Hail Mary” touchdown pass? This is not the man we need as President.

Then, not even a member of the Banking committee in the Senate, and self-described “not knowledgeable on economic issues”, John McCain tries another “Hail Mary” pass by rushing off to DC to “save the world” and tries to demand Obama suspend his campaign and the debates? The US is on the brink of economic collapse and McCain puts politics and election desperation above the future of the country? This is not the man we need as President.

During the same period, Barack Obama has proven to be cool, intelligent, and a good decision maker. This should be obvious to anyone with the mind to actually think what is good for the country and not about politics.

John McCain is desperate and reckless. We don’t need desperate and reckless people leading this country.

Passport Snooping Gets Fed Intelligence Analyst Up to Year in Prison

Mon, 22 Sep 2008 00:00:00 +0000

A State Department intelligence analyst pleads guilty in federal court to charges of privacy invasion of hundreds of celebrities, politicians, athletes and others. Lawrence Yontz faces up to a year in prison when sentenced next month.