[SecurityRatty] tag: passports

on HITB 2008 Conference

Mon, 27 Oct 2008 07:48:00 +0000

Not to pretend to steal Halvar Flake's glory, but I just got my own "fun" international travel story, which also spells bad news to those who wanted to hear my fun keynote at Hack In The Box 2008 in Kuala Lumpur, Malaysia.

To make the short story ... even shorter :-), I got kicked off my flight since my passport is only valid 5.5 months in the future and Malaysia requires that visitors' passports are valid for 6 months from the date of arrival (not that they make it anywhere near clear on their embassy website or anything :-)).

What makes it funnier is that I got so used to US dates of month/day/year that I actually was genuinely shocked when they said "you passport is not valid for 6 months" while it clearly said "Expires on 8/4/2009" ...

So much for Kuala Lumpur :-( Back to work now.

How To Disable Your Passport's RFID Chip

Fri, 17 Oct 2008 16:20:01 +0000

All passports issued by the US State Department after have always-on RFID chips, making it easy for officials – and hackers – to grab your personal stats.

How To Disable Your Passport's RFID Chip

Fri, 17 Oct 2008 16:20:01 +0000

All passports issued by the US State Department after have always-on RFID chips, making it easy for officials – and hackers – to grab your personal stats.

How to Clone and Modify E-Passports

Tue, 30 Sep 2008 08:24:51 +0000

The Hackers Choice has released a tool allowing people to clone and modify electronic passports.

The problem is self-signed certificates.

A CA is not a great solution:

Using a Certification Authority (CA) could solve the attack but at the same time introduces a new set of attack vectors:
The CA becomes a single point of failure. It becomes the juicy/high-value target for the attacker. Single point of failures are not good. Attractive targets are not good.
Any person with access to the CA key can undetectably fake passports. Direct attacks, virus, misplacing the key by accident (the UK government is good at this!) or bribery are just a few ways of getting the CA key.

The single CA would need to be trusted by all governments. This is not practical as this means that passports would no longer be a national matter.

Multiple CA's would not work either. Any country could use its own CA to create a valid passport of any other country. Read this sentence again: Country A can create a passport data set of Country B and sign it with Country A's CA key. The terminal will validate and display the information as data from Country B.This option also multiplies the number of 'juicy' targets. It makes it also more likely for a CA key to leak.

Revocation lists for certificates only work when a leak/loss is detected. In most cases it will not be detected.

So what's the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job 'assessing' the person and not just the passport. Take the human part away and passport security falls apart.

For Some, Stealing IDs Means More Than Fast Cash

Thu, 18 Sep 2008 07:54:49 +0000

Over a hundred people in the last few years have been charged with stealing IDs of dead people, in order to evade the law for various reasons — something that could probably be avoided with better computerized ID systems. Granted a hundred out of how many billion in the States is not that many people, however other reasons for ID theft are sometimes overlooked when we talk about scams. Here are some of the details:

Several of the defendants have been convicted of stealing dead people’s identities to cover up their status as illegal immigrants, military deserters or convicted drunken drivers, federal officials said.

Between July 2005 and August of this year, 112 people were charged in federal court as part of the investigation, which federal officials called “Operation Deathmatch.” Authorities seized $650,000 in cash, a Mercedes-Benz, three guns and more than 80 of the fraudulent passports.

For more case studies, read the article in the SF Gate (online version of the Chronicle).

Dont Put Too Much Faith in High-Tech Passports

Tue, 12 Aug 2008 04:38:22 +0000

Two European researchers have found a way to defeat the chips being placed in passports to eliminate fraud. It’s another reminder never to place blind faith in technology.

E-Passports Can Be Hacked and Cloned in Minutes

Thu, 07 Aug 2008 09:30:03 +0000

A computer researcher proved it by cloning the chips in two British passports and then implanting digital images of Osama bin Laden and a suicide bomber. Both passports passed as genuine by UN approved passport reader software. The entire process took less than an hour.

UK Electronic Passport Cloned

Thu, 07 Aug 2008 02:11:52 +0000

The headline says it all: "‘Fakeproof’ e-passport is cloned in minutes."

Does this surprise anyone? This is what I wrote about electronic passports two years ago in The Washington Post:

The other security mechanisms are also vulnerable, and several security researchers have already discovered flaws. One found that he could identify individual chips via unique characteristics of the radio transmissions. Another successfully cloned a chip. The State Department called this a "meaningless stunt," pointing out that the researcher could not read or change the data. But the researcher spent only two weeks trying; the security of your passport has to be strong enough to last 10 years.
This is perhaps the greatest risk. The security mechanisms on your passport chip have to last the lifetime of your passport. It is as ridiculous to think that passport security will remain secure for that long as it would be to think that you won't see another security update for Microsoft Windows in that time. Improvements in antenna technology will certainly increase the distance at which they can be read and might even allow unauthorized readers to penetrate the shielding.

3,000 Blank British Passports Stolen

Thu, 31 Jul 2008 02:08:59 +0000

Looks like an inside job.

Danger in Dubai?

Tue, 17 Jun 2008 13:57:00 +0000

Those who come to Dubai could be forgiven for thinking that this is an Oasis in a peaceful desert. In reality though, they would do well to remember that this Oasis is located in the middle of a volatile region.

I came to Dubai and the United Arab Emirates a week ago to promote an International Executive Protection course that we are holding here later in the summer. While it is true that most citizens in the U.A.E. are law abiding, there is potential here for opportunists to turn that around. Anyone who spends anytime here, especially in the vicinity of Dubai, will see that it is an extremely wealthy area.

I was talking to an ex-pat business man last night at dinner and he made the comment that a friend of his could not get the attention of the Valets at a local club recently because he was "only driving a Porsche 911". The valets were too busy finding premium parking spots for the Bentleys, Aston Martins and Ferraris. This is why Sexton Executive Security is opening an office in the U.A.E. We believe it is only a matter of time before cunning criminals realize how much money they could make from kidnappings, stealing luxury cars/chop shops and a host of other crimes.

Then yesterday morning something else happened. One of the Embassies released a terrorist alert warning for the U.A.E. Despite the fact that this is the Middle East, alerts like this are not common. Afteralll, this is a shopper's paradise where vistors can spend thousands of dollars on a hotel suite for the night. Now we have begun to compile a list of Executive Protection Specialists with current passports who are available for International assignments.

Don't let the bright lights fool you. This is not Kansas Dorothy. Keep your eyes open and like they used to say on Hill Street Blues; "let's be careful out there."