Entries Tagged "identification"

Page 10 of 27

Hacking TSA PreCheck

I have a hard time getting worked up about this story:

I have X’d out any information that you could use to change my reservation. But it’s all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.

What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode. Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created. Even more scary is that people can do this to change names. So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID. The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information. So the TSA document checker will not pick up on the alterations. This means, as long as they sub in 3 they can always use the Pre-Check line.

What a dumb way to design the system. It would be easier—and far more secure—if the boarding pass checker just randomly chose 10%, or whatever percentage they want, of PreCheck passengers to send through regular screening. Why go through the trouble of encoding it in the barcode and then reading it?

And—of course—this means that you can still print your own boarding pass.

On the other hand, I think the PreCheck level of airport screening is what everyone should get, and that the no-fly list and the photo ID check add nothing to security. So I don’t feel any less safe because of this vulnerability.

Still, I am surprised. Is this the same in other countries? Lots of countries scan my boarding pass before allowing me through security: France, the Netherlands, the UK, Japan, even Uruguay at Montevideo Airport when I flew out of there yesterday. I always assumed that those systems were connected to the airlines’ reservation databases. Does anyone know?

Posted on October 26, 2012 at 6:46 AMView Comments

Database of 12 Million Apple UDIDs Leaked

In this story, we learn that hackers got their hands on a database of 12 million Apple Unique Device Identifiers (UDIDs) by hacking an FBI laptop.

My question isn’t about the hack, but about the data. Why does an FBI agent have user identification information about 12 million iPhone users on his laptop? And how did the FBI get their hands on this data in the first place?

For its part, the FBI denies everything:

In a statement released Tuesday afternoon, the FBI said, “The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”

Apple also denies giving the database to the FBI.

Okay, so where did the database come from? And are there really 12 million, or only one million?

EDITED TO ADD (9/12): A company called BlueToad is the source of the leak.

If you’ve been hacked, you’re not going to be informed:

DeHart said his firm would not be contacting individual consumers to notify them that their information had been compromised, instead leaving it up to individual publishers to contact readers as they see fit.

Posted on September 6, 2012 at 6:48 AMView Comments

Fake Irises Fool Scanners

We already know you can wear fake irises to fool a scanner into thinking you’re not you, but this is the first fake iris you can use for impersonation: to fool a scanner into thinking you’re someone else.

EDITED TO ADD (8/13): Paper and slides.

Also This:

Daugman says the vulnerability in question, which involves using an iterative process to relatively quickly reconstruct a workable iris image from an iris template, is a classic “hill-climbing” attack that is a known vulnerability for all biometrics.”

Posted on July 31, 2012 at 11:11 AMView Comments

Remote Scanning Technology

I don’t know if this is real or fantasy:

Within the next year or two, the U.S. Department of Homeland Security will instantly know everything about your body, clothes, and luggage with a new laser-based molecular scanner fired from 164 feet (50 meters) away. From traces of drugs or gun powder on your clothes to what you had for breakfast to the adrenaline level in your body—agents will be able to get any information they want without even touching you.

The meta-point is less about this particular technology, and more about the arc of technological advancements in general. All sorts of remote surveillance technologies—facial recognition, remote fingerprint recognition, RFID/Bluetooth/cell phone tracking, license plate tracking—are becoming possible, cheaper, smaller, more reliable, etc. It’s wholesale surveillance, something I wrote about back in 2004.

We’re at a unique time in the history of surveillance: the cameras are everywhere, and we can still see them. Fifteen years ago, they weren’t everywhere. Fifteen years from now, they’ll be so small we won’t be able to see them. Similarly, all the debates we’ve had about national ID cards will become moot as soon as these surveillance technologies are able to recognize us without us even knowing it.

EDITED TO ADD (8/13): Related papers, and a video.

Posted on July 16, 2012 at 1:59 PMView Comments

High-Quality Fake IDs from China

USA Today article:

Most troubling to authorities is the sophistication of the forgeries: Digital holograms are replicated, PVC plastic identical to that found in credit cards is used, and ink appearing only under ultraviolet light is stamped onto the cards.

Each of those manufacturing methods helps the IDs defeat security measures aimed at identifying forged documents.

The overseas forgers are bold enough to sell their wares on websites, USA TODAY research finds. Anyone with an Internet connection and $75 to $200 can order their personalized ID card online from such companies as ID Chief. Buyers pick the state, address, name and send in a scanned photo and signature to complete their profile.

ID Chief, whose website is based in China, responds personally to each buyer with a money-order request.

[…]

According to Huff of the Virginia agency, it has always been easy for the untrained eye to be fooled by fake IDs. The difference is, Huff said, that the new generation of forged IDs is “good enough to fool the trained eye.”

The only real solution here is to move the security model from the document to the database. With online verification, the document matters much less, because it is nothing more than a pointer into a database. Think about credit cards.

Posted on June 13, 2012 at 6:45 AMView Comments

Kip Hawley Reviews Liars and Outliers

In his blog:

I think the most important security issues going forward center around identity and trust. Before knowing I would soon encounter Bruce again in the media, I bought and read his new book Liars & Outliers and it is a must-read book for people looking forward into our security future and thinking about where this all leads. For my colleagues inside the government working the various identity management, security clearance, and risk-based- security issues, L&O should be required reading.

[…]

L&O is fresh thinking about live fire issues of today as well as moral issues that are ahead. Whatever your policy bent, this book will help you. Trust me on this, you don’t have to buy everything Bruce says about TSA to read this book, take it to work, put it down on the table and say, “this is brilliant stuff.”

I’m hosting Kip Hawley on FireDogLake’s Book Salon on Sunday at 5:00 – 7:00 PM EDT. Join me and we’ll ask him some tough questions about his new book.

Posted on May 18, 2012 at 6:06 AMView Comments

Dance Moves As an Identifier

A burglar was identified by his dance moves, captured on security cameras:

“The 16-year-old juvenile suspect is known for his ‘swag,’ or signature dance move,” Heyse said, “and [he] does it in the hallways at school.” Presumably, although the report doesn’t make it clear, a classmate or teacher saw the video, recognized the distinctive swag and notified authorities.

But is swag admissible to identify a defendant? Assuming it really is unique or distinctive—and it looks that way from the clip, but I’m no swag expert—I’d say yes.

Posted on April 19, 2012 at 1:03 PMView Comments

Authentication by "Cognitive Footprint"

DARPA is funding research into new forms of biometrics that authenticate people as they use their computer: things like keystroke patterns, eye movements, mouse behavior, reading speed, and surfing and e-mail response behavior. The idea—and I think this is a good one—is that the computer can continuously authenticate people, and not just authenticate them once when they first start using their computers.

I remember reading a science fiction story about a computer worm that searched for people this way: going from computer to computer, trying to identify a specific individual.

Posted on January 23, 2012 at 11:49 AMView Comments

Butt Identification

Here’s a new biometric: how you sit:

…researchers there developed a system that can recognize a person by the backside when the person takes a seat. The system performs a precise measurement of the person’s posterior, its contours and the way the person applies pressure on the seat. The developers say that in lab tests, the system was able to recognize people with 98 percent accuracy.

Posted on December 28, 2011 at 11:40 AMView Comments

1 8 9 10 11 12 27

Sidebar photo of Bruce Schneier by Joe MacInnis.