May 20th, 2008
What is the U.S. doing about security?
I’ve been terrible busy lately. Hopefully you all here haven’t noticed, as I’ve been working hard to still keep my posts flowing, but I’ve just got time to catch up with several blogs that I read often. One of those blogs is the Emergent Chaos blog (shoutz to Adam Shostack). On the blog recently, there was a great story from the Washington Times that Arthur commented on.
Apparently the State Department is going to be producing “passport cards” (see image below, courtesy of Emergent Chaos) for people traveling by car or boat to Canada, Mexico, and the Caribbean. 
The story states:
About the size of a credit card, the electronic-passport card displays a photo of the user and a radio frequency identification (RFID) chip containing data about the user. The State Department announced recently that it will begin producing the cards next month and issue the first ones in July.
That’s right RFID just like booklet style passports. Only it won’t be encrypted and it won’t be shielded. It will even be “vicinity” aka long range RFID, so the very intent is to read them from a distance. While the card isn’t supposed to have any personal information on it, it will link back to a database that does contain personal information. I for one don’t have a lot of confidence that that database can be kept properly secure.
Security specialists told The Washington Times that the electronic-passport card can be copied or altered easily by removing the photograph with solvent and replacing it with one from an unauthorized user.
…
Joel Lisker, a former FBI agent who spent 18 years countering credit-card fraud at MasterCard, said the new cards pose a serious threat to U.S. security. “There really is no security with these cards,” he said.
Click more for my thoughts on all this non-sense.
You know, I feel like most anyone looks at this and just thinks, WTF?! I mean, did they not get the memo from our good President Bush stating that we need to spend BILLIONS on security? I wish he would’ve said GODZILLIONS, that would’ve made this story even more hilarious. Check out this article on USA Today by Richard Wolf on the President’s new stance on security (interesting sections cut out here):
A sudden spike in the number of successful attacks against federal government information systems and databases has led President Bush to propose a multi-billion dollar response.
The number of incidents reported to the Department of Homeland Security rose by 152% last year, to nearly 13,000, according to a new government report. The security breaches, more than 4,000 of which remain under investigation, ranged from the work of random hackers to organized crime and foreign governments, says Tim Bennett, president of the Cyber Security Industry Alliance.
I wonder if the DHS counted any of their own blunders, including the infamous release of the Idaho National Labs research on hacking SCADA devices… what a ridiculously bad idea that was. Back to the article:
The increase and severity of data breaches prompted Bush to recommend a 10% increase in cybersecurity funding for the coming fiscal year, to $7.3 billion. That’s a 73% increase since 2004.
Really, a 10% increase is it and we’re at $7.3 billion? What the hell did we do with the $6.6 billion from last year? God, what did we do with the amount we’ve spent since 2004?
“The president’s put a lot of emphasis on this recently,” says Robert Jamison, undersecretary for national protection and programs at the Department of Homeland Security. “We’re concerned that the threats are real and growing. … We’re more vulnerable as a nation.”
Whoa, whoa, did I read that right? You’re “concerned that the threats are real and growing…“? Are you kidding me? You’re just concerned about it, you’re not 100% positive about it?
Ok, so back to that $7.3 billion and those fancy new passport cards. I could have told you for $5.00 and a case of beer that the passport cards with RFID are a ridiculous idea, especially when they link back to a database with sensitive info. Someone in the .gov needs to talk to Adam Laurie about this stuff. In fact, screw the $7.3 billion! Give me $1 million and let me hire a panel of ten top industry people (I’m not going to name names)we’ll tell you what to do.
Look, I applaud the president and our government for spending the money, but let’s get someone in charge of this that’s going to get something done. I don’t know who is appropriating the money, but $7.3 billion is a lot of money and you’d think you could do a lot more with it than we have.
You know, this article from USA Today goes on to talk about how we are addressing the threat from China. Ok, that’s well and good, but God, we can’t even tackle passport cards properly. You just lose a lot of faith in your government doing the right things to protect you.
-Nate
Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.
