In a recent article on searchfinancialsecurity.com, IBM revealed that they are testing a new device that operates similarily to a USB mass storage device. After the device gets plugged in to the USB port the stick runs a windows internet window that allows the user to conduct secure banking transactions. The crux of the program is in that it completely bypasses computer completely. Therefore, in theory even if malacious spyware is used to find key strokes on the computer, it will not register because the internet window is being run completely outside of the computer's processes. The biggest question that remains assuming everything works is how will it be priced and if people will buy it?
In the past similar devices such as smart cards have provided banks and customers with a form of external validation before conducting secure transfers. These devices however are very expensive and sometimes not easy to use. IBM's device is different its easy to use, just plug and play, and a secure internet connection is set up to conduct transactions. Given the huge drop in the price of memory space over the years IBM could produce a production model for a relatively cheap price that will provide security to bankers and their customers in the future.
http://searchfinancialsecurity.techtarget.com/news/article/0,289142,sid185_gci1337090,00.html
Friday, October 31, 2008
Wednesday, October 29, 2008
Networking Slides
The networking slides I used in class are available online.
Also, if you want more information on using Wireshark, you may wish to read an article I wrote for SearchSecurity: WireShark tutorial: How to sniff network traffic.
As a reminder, it is illegal in many jurisdictions to monitor traffic on a network that does not belong to you. I am providing this tool to you for educational purposes only and suggest that you run it only to capture traffic on a local network that belongs to you.
Also, if you want more information on using Wireshark, you may wish to read an article I wrote for SearchSecurity: WireShark tutorial: How to sniff network traffic.
As a reminder, it is illegal in many jurisdictions to monitor traffic on a network that does not belong to you. I am providing this tool to you for educational purposes only and suggest that you run it only to capture traffic on a local network that belongs to you.
Hackers breach World Bank servers
According to the news cast Foxnews hacker were able to hack into the world bank servers and had access to a lot of sensitive material. "The hackers were able to gain access to the entire World Bank network, including the institution's "highly-restricted treasury unit." The breach comes as World Bank President Robert Zoellick is attempting to position the Bank as a major player in ensuring global financial stability."
The hackers had access to servers that contained "scanned images of staff documents" as well as one that included contract procurement data, according to the FOXNews.com story. The World Bank has been attempting to downplay the situation as well as reassure its staff that no sensitive information had been accessed and that their personal information was not at risk. However, after the breach was discovered, the Bank's senior technology manager was quoted as calling the situation an "unprecedented crisis." Another senior Bank staffer revealed that the FBI had become involved and that the hackers had "access to everything," particularly all of the worldwide information of the International Finance Corporation (IFC), the private sector arm of the World Bank"
The Rest of the Article is here
:http://www.bicusa.org/en/Article.3915.aspx
The hackers had access to servers that contained "scanned images of staff documents" as well as one that included contract procurement data, according to the FOXNews.com story. The World Bank has been attempting to downplay the situation as well as reassure its staff that no sensitive information had been accessed and that their personal information was not at risk. However, after the breach was discovered, the Bank's senior technology manager was quoted as calling the situation an "unprecedented crisis." Another senior Bank staffer revealed that the FBI had become involved and that the hackers had "access to everything," particularly all of the worldwide information of the International Finance Corporation (IFC), the private sector arm of the World Bank"
The Rest of the Article is here
:http://www.bicusa.org/en/Article.3915.aspx
Security Review Virtual Private Networks
Source: http://computer.howstuffworks.com/vpn.htm
Since we have been talking about networking I found this new form of networking called Virtual Private Networks (VPN). They are made mainly for businesses and provide remote access to other computers/servers through a web browser, instead of a remote access program. This is important for businesses because many business people are constantly traveling. VPN are secured with a firewall and it integrates with your system which will allow you to have remote access to your business computers/ corporate networks via a web browser. It also allows your customers to access your network. The security goals I would have for the technology is that all the information sent through the VPN is secure and cannot be hacked into. Also I would want to make sure that only people who have permission to access the network are the only ones granted access. And I would want the network to be reliable so that it is not down. According to the video it allows up to 25 people to connect to the network using VPN. One problem with this is what if you have more than just 25 people traveling who need access? Will the system crash and not be able to handle everyone’s requests. Threats that may exist could be people gaining access to sensitive business information if they can crack your user name and password, or if they can monitor the computer you use to access the corporate network using VPN. Since it is all web browser based, if someone hacks onto your computer network they may be able to steal/view information from the corporate network. VPN are relatively cheap for businesses to use and seem to be more efficient. So the risk of people hacking into the system can be managed by implementing other security measures on the VPN, such as a timed logout. If you are a business person and are at a coffee shop and you have to get up to go to the bathroom or something, there could be a set amount of idle time before the browser automatically logs you out so that other people can no jump on you computer and view your business information. VPN are also helpful since it can be accessed using PDAs so in meetings or other places where you only have a phone/PDA available, it would be very convenient. As far as the risks, the company would need to secure the network and encrypt the information sent. Also monitoring the VPN networks to see who is actually using it would help keep hackers at bay. I think this product is worth the risk acceptance because it seems to be very helpful to people who travel constantly for business and need access to the company’s network. I don’t know how many companies actually use this but for the article and the video, VPN seem like an efficient safe technology.
Since we have been talking about networking I found this new form of networking called Virtual Private Networks (VPN). They are made mainly for businesses and provide remote access to other computers/servers through a web browser, instead of a remote access program. This is important for businesses because many business people are constantly traveling. VPN are secured with a firewall and it integrates with your system which will allow you to have remote access to your business computers/ corporate networks via a web browser. It also allows your customers to access your network. The security goals I would have for the technology is that all the information sent through the VPN is secure and cannot be hacked into. Also I would want to make sure that only people who have permission to access the network are the only ones granted access. And I would want the network to be reliable so that it is not down. According to the video it allows up to 25 people to connect to the network using VPN. One problem with this is what if you have more than just 25 people traveling who need access? Will the system crash and not be able to handle everyone’s requests. Threats that may exist could be people gaining access to sensitive business information if they can crack your user name and password, or if they can monitor the computer you use to access the corporate network using VPN. Since it is all web browser based, if someone hacks onto your computer network they may be able to steal/view information from the corporate network. VPN are relatively cheap for businesses to use and seem to be more efficient. So the risk of people hacking into the system can be managed by implementing other security measures on the VPN, such as a timed logout. If you are a business person and are at a coffee shop and you have to get up to go to the bathroom or something, there could be a set amount of idle time before the browser automatically logs you out so that other people can no jump on you computer and view your business information. VPN are also helpful since it can be accessed using PDAs so in meetings or other places where you only have a phone/PDA available, it would be very convenient. As far as the risks, the company would need to secure the network and encrypt the information sent. Also monitoring the VPN networks to see who is actually using it would help keep hackers at bay. I think this product is worth the risk acceptance because it seems to be very helpful to people who travel constantly for business and need access to the company’s network. I don’t know how many companies actually use this but for the article and the video, VPN seem like an efficient safe technology.
Sunday, October 26, 2008
Security Flaw in New Google Phone
T-mobile's new Google phone, which was released last Wednesday for sale to consumers as an alternative to the I-Phone, is found to have a serious security flaw. This flaw will effect both the people who own Google phones, as well as consumers considering purchase. Although the Google phone has improved security by compartilizing applications so that one breach cannot cause too much harm, the flaw lies in the web-browser application included in the phone. The web-browser does not protect against viruses that can be installed just one time, but can remain on the phone forever. For instance, a person with one-time access to the phone can install a program that will record the key strokes that a user inputs. This means that passwords, as well as personal information such as credit card numbers could be stolen.
There is also some controversy as to whether or not this flaw should have been revealed, as companies are generally given some time to fix flaws before the are publicized. I believe that it is best that this flaw was pointed out, especially since now people are able to avoid entering sensitive information into the web browser. If it was kept quiet, people could have been attacked without even knowing there was a risk. I believe that this could be a huge security threat if it is not fixed. People buy the phones, in large part, because of the ability to connect to the Internet, and many could be at risk.
Take a look at the article: http://www.nytimes.com/2008/10/25/technology/internet/25phone.html?_r=1&ref=technology&oref=slogin
There is also some controversy as to whether or not this flaw should have been revealed, as companies are generally given some time to fix flaws before the are publicized. I believe that it is best that this flaw was pointed out, especially since now people are able to avoid entering sensitive information into the web browser. If it was kept quiet, people could have been attacked without even knowing there was a risk. I believe that this could be a huge security threat if it is not fixed. People buy the phones, in large part, because of the ability to connect to the Internet, and many could be at risk.
Take a look at the article: http://www.nytimes.com/2008/10/25/technology/internet/25phone.html?_r=1&ref=technology&oref=slogin
New Wave of "Zombies" Intensifies Web Attacks
I recently read this article regarding “botnets” and “zombies” and found it pretty disturbing. It discusses the vulnerability of any computer connected to the internet. Although network security professionals constantly insist on the use of detection programs and firewalls to protect your computer, it is not always enough. In a matter of minutes an unprotected computer can be turned into a “zombie” by automated programs that hide in the internet waiting to take over computers. A “botnet” is formed by taking multiple “zombie” computers and linking them together. This chain is then used to search for sensitive information, send spam e-mail, and turn other computers into “zombies”.
While none of this surprised me, some of the statistics did. Although security professionals such as Microsoft have drastically decreased the number of detected botnets from about 500,000 to 300,000 in 2008, they are still causing a large amount of damage. A single botnet is capable of controlling millions of computers. A study by a computer security firm called Secunia found that detection programs have limited effectiveness. The most effective program they test only caught 64 of 300 ways in which the computer was vulnerable to malware. I found that to be an unsettling number. I knew that detection software didn’t catch everything, but I’m surprised that even the best program only detects a little over 20 percent of the vulnerabilities.
Some of the new “features” of botnets are even more intriguing. One particular botnet actually activated Microsoft Windows Update on computers that took over in order to wipe out competing malware. Other botnets even install anti-spyware software on the computers they infect in order to ensure their sole control of the machine. With more advanced features such as this, botnets are becoming increasingly difficult to find and therefore destroy. Although there are organizations such as the International botnet Task Force that are attempting to fight against these attackers, they face a number of challenges. For example, depending on the source of the botnet, it may be outside the legal jurisdiction of the United States. However, Microsoft teams, among others, are doing everything that they can to prosecute the people creating these botnets.
http://www.toptechnews.com/story.xhtml?story_id=1200044YU4Y0&page=1
Tuesday, October 21, 2008
French President's Bank Account Hacked
If you thought Sarah Palin's e-mail being hacked was interesting...
"Cyberthieves have stolen money from the personal bank account of France's president, Nicolas Sarkozy.
The criminals reportedly managed to obtain Sarkozy's online username and password, and removed several small sums of money from the account.
Reports state Sarkozy noticed that small amounts of money had disappeared from his account last month, and informed the police of the losses."
The full article is available at: French President Sarkozy's bank account hacked
"Cyberthieves have stolen money from the personal bank account of France's president, Nicolas Sarkozy.
The criminals reportedly managed to obtain Sarkozy's online username and password, and removed several small sums of money from the account.
Reports state Sarkozy noticed that small amounts of money had disappeared from his account last month, and informed the police of the losses."
The full article is available at: French President Sarkozy's bank account hacked
Monday, October 20, 2008
Assignments 4 and 5 Available
Assignments 4 and 5 are now available. Both are due the same week, so I wanted to make sure they were posted early enough to give you time to work on them. For planning purposes, there will only be one more assignment after these two.
Assignment 4 covers the networking material we began before break and will finish when we return.
Assignment 5 covers the Boss, I Think Someone Stole Our Customer Data case study.
For Assignment 5, you need to read the case study, which was published in the Harvard Business Review. Due to copyright restrictions, I cannot give you the file just yet. I am working on getting electronic copies for you. In the meantime, if you want to get a head start, you can read and/or copy it in the periodicals room at the library. There is an electronic database containing the article available through the library website, but the copyright conditions on that article state that those copies cannot be used as "assigned course material."
The case appears in the September 2007 issue of Harvard Business Review on pages 37-50.
Assignment 4 covers the networking material we began before break and will finish when we return.
Assignment 5 covers the Boss, I Think Someone Stole Our Customer Data case study.
For Assignment 5, you need to read the case study, which was published in the Harvard Business Review. Due to copyright restrictions, I cannot give you the file just yet. I am working on getting electronic copies for you. In the meantime, if you want to get a head start, you can read and/or copy it in the periodicals room at the library. There is an electronic database containing the article available through the library website, but the copyright conditions on that article state that those copies cannot be used as "assigned course material."
The case appears in the September 2007 issue of Harvard Business Review on pages 37-50.
Sunday, October 12, 2008
Security and Keyless Entry
I recently saw a commercial for a new Lincoln sedan (MKS) which markets an keyless invisible touchpad called SECURICODE KEYLESS ENTRY. In addition to the touchpad, the car also includes an option for keyless engine starting.
I'm aware of earlier models of cars (particularly on Ford vehicles) that provide an entry touchpad similar to that found on garage doors. Thus, I don't imagine the concept provides any new security risk. I am, however, curious about any new possible risks in light of the design change. The new design houses touch-sensitive controls under a weatherproof acrylic panel. A five digit code is entered into the panel. It seems to me that consistent use of the particular buttons would lead to excessive smudging or weathering on a given section of the cover. Would this theoretically make it easier for would-be thieves to figure out the entry code? Furthermore, does the use of keyless-start make it even easier to steal the car after gaining entry?
Security concerns regarding keyless entry have been documented for many years now. I am curious to see if the combination of these technologies (keypad-entry and keyless start) will have any detrimental effects.
If anyone has experience using keypad-entry, I'd enjoy hearing how reliable the system is, how easy it is to change the code, and how often the code is changed.
I'm aware of earlier models of cars (particularly on Ford vehicles) that provide an entry touchpad similar to that found on garage doors. Thus, I don't imagine the concept provides any new security risk. I am, however, curious about any new possible risks in light of the design change. The new design houses touch-sensitive controls under a weatherproof acrylic panel. A five digit code is entered into the panel. It seems to me that consistent use of the particular buttons would lead to excessive smudging or weathering on a given section of the cover. Would this theoretically make it easier for would-be thieves to figure out the entry code? Furthermore, does the use of keyless-start make it even easier to steal the car after gaining entry?
Security concerns regarding keyless entry have been documented for many years now. I am curious to see if the combination of these technologies (keypad-entry and keyless start) will have any detrimental effects.
If anyone has experience using keypad-entry, I'd enjoy hearing how reliable the system is, how easy it is to change the code, and how often the code is changed.
Saturday, October 11, 2008
IT Security & The Law
For those of you who wish to review Tim Flanagan's presentation from Wednesday, here is his slide presentation.
World Bank Victim of Numerous Cyberattacks
Link: http://www.foxnews.com/story/0,2933,435681,00.html
The computer network of the World Bank--"one of the largest repositories of sensitive data about the economies of every nation"--has been the target of an unspecified amount of successful cyberattacks. In fact, recent e-mails from a senior technology advisor state that these cyberattacks have put the World Bank's computer network into an 'unprecedented crisis.'
While the type and amount of stolen information are not yet known--or, at least, have not yet been made public--"sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July."
Memos also indicate that anywhere between eighteen and forty servers have been hacked, including some which contained "scanned images of staff documents" and sensitive information on contract-procurement data.
Beyond such memos and a few announcements by World Bank officials, the World Bank has tried very hard to classify the details of these cyberattakcs. The World Bank has tried especially hard to calm the thousands of employees who are now worried about the security of their personal and professional information.
The identities of the hackers, and the cause of the cyberattacks, are also obscure. According to FOXnews, however, "at least six major intrusions--two of them using the same group of IP addresses originating from China-—have been detected at the World Bank since the summer of 2007."
Since information on these cyberattacks is so limited, I can only recommend that the World Bank discover how hackers gained access to the network and determine how to prevent future intrusions. While the article mentions various attempts by the World Bank to do just that, it is, of course, far easier said than done.
The computer network of the World Bank--"one of the largest repositories of sensitive data about the economies of every nation"--has been the target of an unspecified amount of successful cyberattacks. In fact, recent e-mails from a senior technology advisor state that these cyberattacks have put the World Bank's computer network into an 'unprecedented crisis.'
While the type and amount of stolen information are not yet known--or, at least, have not yet been made public--"sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July."
Memos also indicate that anywhere between eighteen and forty servers have been hacked, including some which contained "scanned images of staff documents" and sensitive information on contract-procurement data.
Beyond such memos and a few announcements by World Bank officials, the World Bank has tried very hard to classify the details of these cyberattakcs. The World Bank has tried especially hard to calm the thousands of employees who are now worried about the security of their personal and professional information.
The identities of the hackers, and the cause of the cyberattacks, are also obscure. According to FOXnews, however, "at least six major intrusions--two of them using the same group of IP addresses originating from China-—have been detected at the World Bank since the summer of 2007."
Since information on these cyberattacks is so limited, I can only recommend that the World Bank discover how hackers gained access to the network and determine how to prevent future intrusions. While the article mentions various attempts by the World Bank to do just that, it is, of course, far easier said than done.
Tuesday, October 7, 2008
Ford to Introduce MyKey
This is indirectly related to Information Security, mostly the confidentiality aspect of the triad. GPS that allows parents to track the whereabouts of their teenage drivers isn't enough to reassure some parents, so Ford has developed a product called MyKey. It allows parents to have more control over teenage drivers with the following features:
However, if there was an emergency and a teenager needed to get to the hospital or something quickly, they wouldn't be able to go above 80mph. Related to this, a teenage driver could be driving 80mph and need to speed up in order to avoid an accident, but they wouldn't be able to.
http://afp.google.com/article/ALeqM5g-u0NJvY16BTLrFTI38fWkVU6Vnw
- maximum speed of 80mph
- maximum audio of 44% of the volume
- audio system won't work when seat belts are not buckled
- warning when the gas tank gets to 75 miles remaining
- cannot floor the accelerator over 45mph
- warning sounds when speed hits 45mph, 55mph, & 65mph (optional)
However, if there was an emergency and a teenager needed to get to the hospital or something quickly, they wouldn't be able to go above 80mph. Related to this, a teenage driver could be driving 80mph and need to speed up in order to avoid an accident, but they wouldn't be able to.
http://afp.google.com/article/ALeqM5g-u0NJvY16BTLrFTI38fWkVU6Vnw
Sunday, October 5, 2008
Interest in Cyber-crime treaty growing
Searching the web some time last week, I stumbled along some updated news on the cyber-crime treaty. For those who don’t know the cyber-crime treaty is. It's an agreement between different countries that when ratified “will bind countries to creating a minimum set of laws to deal with high-tech crimes, including unauthorized access to a network, data interference, computer-related fraud and forgery, child pornography, and digital copyright infringement. The treaty will also have provisions that will ensure surveillance powers for governments and bind nations to helping each other gather evidence and enforce laws. The treaty also helps the pursuing of criminals on an international scale” Although the treaty’s last draft was signed off on
With that said the information I found was that the treaty was actually getting more interest from the rest of the world. Many other countries are beginning to follow suit and sign this treaty stating that they will conform to the agreement. Making it harder for people to commit crimes over seas without fear of being prosecuted. here are some more articles I found on the matter.
Friday, October 3, 2008
"Xerox Selects VeriSign Managed Security Services to Help Protect Their Corporate Network"
After talking about VeriSign and digital certificates the other day, this article caught my eye when I was on CNNMoney.com.
Xerox Corp. has chosen VeriSign Inc. to provide Managed Security Services to help maximize the value of its information and network security investments, while minimizing its security risks. VeriSign will use a number of tools to help protect Xerox's network security, such as Firewall Monitoring, Network and Host-Based Intrusion Prevention Systems (IPS) Management and Log Management Services. Xerox will also use VeriSign's iDefense Security Intelligence Services to look for and manage vulnerabilities, malicious code, and other threats facing the network.
The Director of Information Security and Risk Management at Xerox said, "Teaming with VeriSign Enterprise Security Services allows us to work with a trusted security partner, enabling our IT security teams to focus on only critical and actionable events." VeriSign is a well-known name in helping organizations more effectively manage risk, monitor compliance and identify and mitigate evolving security threats.
**I just thought this article was interesting because we had just talked about VeriSign in class and I had mentioned them in my presentation. After our class discussions, I find that I pick up on a lot more security news now that I am more knowledgable on such issues.
Xerox Corp. has chosen VeriSign Inc. to provide Managed Security Services to help maximize the value of its information and network security investments, while minimizing its security risks. VeriSign will use a number of tools to help protect Xerox's network security, such as Firewall Monitoring, Network and Host-Based Intrusion Prevention Systems (IPS) Management and Log Management Services. Xerox will also use VeriSign's iDefense Security Intelligence Services to look for and manage vulnerabilities, malicious code, and other threats facing the network.
The Director of Information Security and Risk Management at Xerox said, "Teaming with VeriSign Enterprise Security Services allows us to work with a trusted security partner, enabling our IT security teams to focus on only critical and actionable events." VeriSign is a well-known name in helping organizations more effectively manage risk, monitor compliance and identify and mitigate evolving security threats.
**I just thought this article was interesting because we had just talked about VeriSign in class and I had mentioned them in my presentation. After our class discussions, I find that I pick up on a lot more security news now that I am more knowledgable on such issues.
Wednesday, October 1, 2008
PDA Security
Today in class, we briefly touched upon the information security risk that PDAs pose. Besides the threat of physically losing your PDA, there are other security risks which one should take into consideration when using these hand held devices. The reason for this risk comes from the fact that most of these devices have both bluetooth and wi-fi capabilities; such wireless connections open the door to the risk of malicious code.
When considering such security threats, one could take Blackberry for example. I have seen many students with these devices on campus and e-mail security is definitely a concern. The threat comes from the user downloading certain files - for example opening an e-mail which contains a trojan horse - allowing a hacker to monitor/access the e-mails that the recipient is receiving (and therefore gaining complete access to the information incoming and outgoing).
On a corporate level, there is the risk of espionage between companies; trade secrets and future deals being leaked. Senior executives use these devices and in their calendar alone there may be fragile company information such as key customer information and merger/acquisition info which could lead to humiliation or a drop in the material value of the organization.
On a more severe level, government and military employees use these devices; a leak of vital information could result in the loss of life.
Third party programs are the cause of many of these viruses. When using Blackberries and the like at work, security directly relates to the level of protection/restriction the corporation is administrating. Blackhats love trying to penetrate new devices (such as the iPhone) while exploiting their flaws/vulnerabilities.
Some tips to stay safe when using PDAs: don't keep any information on your PDA that you can't afford to lose, utilize the "power on" password setting (a prompt to input your password disallowing access to those who are without it), take advantage of firewall and security packages (such as those offered by BlueFire), consider encrypting your data.
Since users have the option of multiple operating systems when using PDAs, combined with the fact that hackers typically have access to more data via victims' computers, PDAs haven't been targeted so heavily yet. But as their capabilities advance, so will their draw from blackhats.
When considering such security threats, one could take Blackberry for example. I have seen many students with these devices on campus and e-mail security is definitely a concern. The threat comes from the user downloading certain files - for example opening an e-mail which contains a trojan horse - allowing a hacker to monitor/access the e-mails that the recipient is receiving (and therefore gaining complete access to the information incoming and outgoing).
On a corporate level, there is the risk of espionage between companies; trade secrets and future deals being leaked. Senior executives use these devices and in their calendar alone there may be fragile company information such as key customer information and merger/acquisition info which could lead to humiliation or a drop in the material value of the organization.
On a more severe level, government and military employees use these devices; a leak of vital information could result in the loss of life.
Third party programs are the cause of many of these viruses. When using Blackberries and the like at work, security directly relates to the level of protection/restriction the corporation is administrating. Blackhats love trying to penetrate new devices (such as the iPhone) while exploiting their flaws/vulnerabilities.
Some tips to stay safe when using PDAs: don't keep any information on your PDA that you can't afford to lose, utilize the "power on" password setting (a prompt to input your password disallowing access to those who are without it), take advantage of firewall and security packages (such as those offered by BlueFire), consider encrypting your data.
Since users have the option of multiple operating systems when using PDAs, combined with the fact that hackers typically have access to more data via victims' computers, PDAs haven't been targeted so heavily yet. But as their capabilities advance, so will their draw from blackhats.
Hacking Passports
Current Event: According to Schneier’s blog hackers have come up with a way to make fake electronic passports. An electronic passport is a passport with a chip that reads the information pertinent to your passport. According to the United States’ government website, “The U.S. Electronic Passport uses the digital image of the passport photograph as the biometric identifier that is used with face recognition technology to verify the identity of the passport bearer. “ However as we have seen in class (Myth Busters) this doesn’t really provide a strong security. The original benefit of the passport was that it would allow travelers to get through customs and travel inspection much quicker because there are machines that read the passport, so the traveler would not have to wait in line to get their passport checked. On Schneier’s blog he links to a news story explaining how to modify and clone passports because the chip is not secure. The blog links to this website http://freeworld.thc.org/thc-epassport/ which explains how to modify a passport and make fake information in a few easy steps. There is even a video included. This is obviously a HUGE security problem, as the point of passports is to protect each country. With terrorism at a high right now, this should be a major concern to government officials. While this technology is flawed, it should not be thrown out, because people use to fake passports when they were normal no technical documents, so that is not the problem. The problem is that we put too much trust into letting machines do the jobs people should have. If at every machine there were security guards that confirm the passport is valid, many amateurs trying to fake the passport would be caught. Since the chip is part of the problem and can be altered previous to being inspected, we should only work to make a more advanced technology to address this issue, perhaps a stronger encryption is needs on the chips. The government should invest time and money into this issue if they want to keep their borders safe, since we now know of this problem.
Sources:
http://www.schneier.com/blog/
http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.html
http://freeworld.thc.org/thc-epassport/
http://travel.state.gov/passport/eppt/eppt_2498.html
What do you think about this? I know it slightly scares me.
-Cassie
Sources:
http://www.schneier.com/blog/
http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.html
http://freeworld.thc.org/thc-epassport/
http://travel.state.gov/passport/eppt/eppt_2498.html
What do you think about this? I know it slightly scares me.
-Cassie
Subscribe to:
Posts (Atom)
Posts
