Nederlands
English
Category: security
Get a famous fingerprint
The German Chaos Computer Club, the oldest and largest hacker group of Europe, made available to the public the fingerprint of the German Minister Schäuble for the Interior. They wanted to show how easy it is to obtain someone’s identity when identity is based on fingerprints.
The German government is preparing to build a national database containing the fingerprints of all its citizens for the purposes of fraud-prevention and national security. Minister Schäuble is very angry about the release of his fingerprints and has stated he will take legal measures against the CCC. Dutch hacker Rop Gongrijp pointed out that the Minister’s anger was curious since it was the minister after all who wanted to collect the fingerprints of over 82 million Germans and the CCC only collected one.
The CCC has been demonstrating for several years how easy it is to ‘steal’ someone’s fingerprint and use is to fool all kinds of security measures such as payment systems, physical access controls and computer security systems. As with the doomed RFID cards these demonstrations need to be very ‘in your face’ before media and governments take notice. Worldwide there are over 200 million devices in use of the 20 different types that were fooled by the CCC experts. As with the 100 million RFID cards they are all essentially worthless as serious methods for securing transactions or granting access.
It is curious how we as citizens are constantly required to trust governments to handle our most private data when these governments often are not that trustworthy themselves and also not very technically competent in guarding our information. Passports are easy to fake, RFID cards are easy to copy, fingerprint readers can be fooled. Before we base our entire lives on these technologies we’d better make sure they actually provide a minimum level of security. For now I’m sticking to encrypted mail and strong passwords.
German TV broadcast an item about the possibility of stealing a fingerprint and using it to go shopping at someone else’s expense at a large German supermarket chain.
Since the TV piece did not include the entire method for making your own fingerprints I include it here. As with the RFID cards, these vulnerabilities have been known for several years, it’s just that some companies and governments are a bit slow in picking up on them. If you want to go shopping as Minister Schäuble, just click on the picture at the top and follow the procedure from the movie.
A friend and IT security expert pointed out that since anyone can now pretend to be Minister Schäuble, that pretty much makes his fingerprint useless as evidence in court. Maybe we should all publish our fingerprints (and retina scans and DNA profiles) to gain plausible deniability on future accusations of anything …
Public Transport card fully hacked
What experts foresaw last December and the Dutch research institute TNO denies was possible in their recent report has been done. The deepest level of data-encryption on the NXP Mifare RFID chip has been hacked. Cash from cards can now be copied to other cards through cloning and that makes this system utterly unsuitable for serious applications involving real people and real money.
But this is essentially old news. The more interesting news as far as I’m concerned is the fact that TNO was immediately re-hired by the company implementing the card system to do more research on the validity of the hack. You have to wonder what the thinking is here. This company dropped the ball on at least three separate occasions in this area so why do they get another chance to write a big rapport to claim ‘there is no problem’ ? And this is not the first time, on the sensitive subject of voting computers (now banned in The Netherlands) they also kept telling us ‘all is well‘.
If you merely want a paper to reassure yourself just ask the secretary to print out a pretty picture from the Interweb with a caption that says ‘everything will be ok’. That’s a lot cheaper then hiring a company like TNO, and apparently just as valid.
Does TNO just write down whatever the customer asks of them or do they really not know any better? Either alternative is troublesome. As an important expert-adviser to the governments we should hold TNO to a higher standard. When faced with an impossible request from a client they should respectfully decline the job explain that the client’s request is either technically impossible or not in line with laws concerning citizen privacy and such.
Our government (and parliament!) allowing such organizations to indirectly guide technology policy is a real problem that will continue to cost us dearly (in real money, privacy violations, theft and missed technology opportunities).
Next up for big IT-projects is a road-toll system that should allow for more flexible costs of (pay-as-you-go) owning and using a car. Hopefully it won’t be as insecure as this project, that could be expensive for government or the citizen (or both).
Tomorrow there will be a meeting in parliament on this matter. The independent experts (the ones that got it right from day 1) have decided to boycott this meeting since they are not allowed access to the ‘secret’ paragraph of the most recent TNO rapport. They wisely refuse to legitimize more ‘security-by-obscurity‘ bullshit.
Diebold leaks 2008 election results!
Diebold votingcomputers leak critical info, messing up the whole charade around the 2008 US Presidential election. What is the world coming to if one cannot trust the Overlords to keep a simple secret?