Privacy survey urged for counterterror programs

In a report published on Tuesday, the group of scientists offered a framework that agencies can use to grade their programs on key facets, including data privacy, and urged lawmakers to revisit legislation that could better protect privacy in such programs. The report acknowledged the threat of terrorism as a real and urgent concern, calling for the use of information technologies to help combat terrorists. The fight against terrorism, however, should not excuse massive numbers of false-positive matches that could lead to privacy violations, the National Research Council said in a statement announcing the publication of the report.

“Poor-quality data are a major concern in protecting privacy because inaccuracies may cause data-mining algorithms to identify innocent people as threats,” the statement summarized from the report. “Linking data sources together tends to compound the problem; current literature suggests that a \’mosaic\’ of data assembled from multiple databases is likely to be error-prone. Analysts and officials should be aware of this tendency toward errors and the consequent likelihood of false positives.”

Privacy worries have dogged the Bush Administration\’s initiatives aimed at fighting terrorism. The National Security Agency (NSA) became a focus in the wiretapping debate when the New York Times reported that the agency had eavesdropped on the Internet activities and phone calls of U.S. citizens as well as foreign terrorism targets without seeking the warrant required by law. Many telecommunications companies allegedly cooperated with the U.S. government and have faced lawsuits as a result. In March, a security consultant claimed the existence of a “Quantico circuit” that provided a third party — presumably a federal agency — with unfettered access to a cellular phone company\’s network.

In July, President Bush signed into law a bill that amended restrictions on surveilling international communications and gave retroactive immunity to telecommunications companies.

In its report, the National Research Council warned that data mining technologies used to identify potential terrorists have many technical issues. Data garnered from the private sector is, in many cases, of poor quality.

“All information-based programs should be accompanied by robust, independent oversight to ensure that privacy safeguards are not bypassed in daily operations,” the NRC stated. “Systems should log who accesses data, thus leaving a trail that can itself be mined to monitor for abuse.”

Protecting against Wi-Fi, Bluetooth, RFID data attacks

In a frightening but entertaining session entitled “How do I Pwn Thee? Let me Count the Ways” (pwn is hacker speak for “own” or control), a hacker who goes by the alias “RenderMan” explained how most people are at risk and don’t even know it.

By now most people probably know they should be careful using Wi-Fi networks, especially public hotspots that don’t encrypt data transmissions and where network access points can be spoofed. These issues leave Web surfers at risk of having their data stolen, receiving fake Web pages and other information, and having their computers completely taken over, he said.

Even airplane passengers who either ignore stewardess requests to disable Wi-Fi or don’t know how to turn it off are not immune to attacks from others in the airplane, he added.

RenderMan suggests that people disable Wi-Fi when it is not in use and use VPNs and firewall software.

Bluetooth headset users are at risk because of a security hole in the technology and default PINs that don’t get changed, he said. Exploiting vulnerabilities someone can break in and steal data from the phones, make calls without the cell phone owner knowing, listen in on and break into conversations, and even spy on people by turning the device into a bug.

He advises that people change the default password, disable the Bluetooth on the phones, turn off the headsets when not in use, and limit access to the data and features when communicating with other Bluetooth devices.

Many people don’t realize that new U.S. passports have RFID technology with weak encryption that makes the data on the chip easy to read with the proper reader device. (See related video below).

The U.S. government attempted to mitigate the privacy threat by putting a metal foil layer on the front and back cover of the passports, but the stiffness of the foil pops the passport open as much as an inch, wide enough for RFID readers to snatch the data, RenderMan said, showing a video to demonstrate this.

“There is no rule that says that if the chip doesn’t work, they will refuse you access to the border. You will get increased scrutiny, but it’s still a valid document,” he said. “So, liberal application of a hammer can negate a lot of the possible” problems.

But doing willful damage to the passport is a crime, one attendee pointed out. “I fell, really hard,” RenderMan deadpanned.

RFID used in transit and building access badges has also been proven to be insecure, allowing someone to use an RFID reader to copy data off the card and make a clone of it, he said.

A security flaw in the Mifare Classic Chip used in transit systems is the subject of a court case in The Netherlands. The maker of the chip, NXP Semiconductors, sued to block a university from publishing details of the problems, but a court ruled on Friday that the research can be made public.

Even traditional keys are vulnerable, RenderMan said. For instance, photographs of spare keys for electronic-voting machines displayed on a Web page were used to make replicas with similar-looking keys, he said. A video demo showed how someone filed down a key from a hotel mini-bar and was able to open up the memory card slot of a Dieboldvoting system.

US government security data compromised

The security of data held by the CIA, the FBI and the US Department of Defense was compromised earlier this year after a partner agency allowed zone transfer access of its Domain Name Services.

Professor John Walker, managing director of forensics consultancy Secure-Bastion, revealed the security blunder during the International Crime Science conference in London last week.

Professor Walker had been testing DNS environments as part of his academic research.

“In one case an organisation in the US, working with some government agencies, allowed me to get into their systems to see their servers named for their clients. Their servers were called ‘CIA’, ‘FBI’ and ‘DoD’,” he said.

“The DNS is a logical map of all the assets of a company. If you can take the logical map of the assets out (IP addresses, system names) you’ve got an awful lot of intelligence to work on,” he said.

“And you can work quietly because you no longer have to go to the organisation to get the data because it’s sitting on your PC.”

When Professor Walker reported the security flaw, the organisation said ” Thank God you’ve found it” and closed it down. “I didn’t go down any further because I valued my liberty,” he said.

“In my work I get the pleasure of seeing other people’s systems. I invariably walk away not believing what I’ve seen. It’s not that the criminals are so clever, but that we’re so stupid.”

The International Crime Science Conference was organised by the Centre for Security and Crime Science at University College London.