Schneier on Security: Tagged UK

Entries Tagged "UK"

Page 16 of 19

ID Cards and ID Fraud

Unforeseen security effects of weak ID cards:

It can even be argued that the introduction of the photocard licence has encouraged ID fraud. It has been relatively easy for fraudsters to obtain a licence, but because it looks and feels like ‘photo ID’, it is far more readily accepted as proof of identity than the paper licence is, and can therefore be used directly as an ID document or to support the establishment of stronger fraudulent ID, particularly in countries familiar with ID cards in this format, but perhaps unfamiliar with the relative strengths of British ID documents.

During the Commons ID card debates this kind of process was described by Tory MP Patrick Mercer, drawing on his experience as a soldier in Northern Ireland, where photo driving licences were first introduced as an anti-terror measure. This “quasi-identity card… I think—had a converse effect to that which the Government sought… anybody who had such a card or driving licence on their person had a pass, which, if shown to police or soldiers, gave them free passage. So, it had precisely the opposite effect to that which was intended.”

Effectively – as security experts frequently point out – apparently stronger ID can have a negative effect in that it means that the people responsible for checking it become more likely to accept it as conclusive, and less likely to consider the individual bearing it in any detail. A similar effect has been observed following the introduction of chip and PIN credit cards, where ownership of the card and knowledge of the PIN is now almost always viewed as conclusive.

Posted on December 30, 2005 at 1:51 PM • View Comments

Vehicle Tracking in the UK

Universal automobile surveillance is coming:

Britain is to become the first country in the world where the movements of all vehicles on the roads are recorded. A new national surveillance system will hold the records for at least two years.

Using a network of cameras that can automatically read every passing number plate, the plan is to build a huge database of vehicle movements so that the police and security services can analyse any journey a driver has made over several years.

The network will incorporate thousands of existing CCTV cameras which are being converted to read number plates automatically night and day to provide 24/7 coverage of all motorways and main roads, as well as towns, cities, ports and petrol-station forecourts.

By next March a central database installed alongside the Police National Computer in Hendon, north London, will store the details of 35 million number-plate “reads” per day. These will include time, date and precise location, with camera sites monitored by global positioning satellites.

As The Independent opines, this is only the beginning:

The new national surveillance network for tracking car journeys, which has taken more than 25 years to develop, is only the beginning of plans to monitor the movements of all British citizens. The Home Office Scientific Development Branch in Hertfordshire is already working on ways of automatically recognising human faces by computer, which many people would see as truly introducing the prospect of Orwellian street surveillance, where our every move is recorded and stored by machines.

Although the problems of facial recognition by computer are far more formidable than for car number plates, experts believe it is only a matter of time before machines can reliably pull a face out of a crowd of moving people.

If the police and security services can show that a national surveillance operation based on recording car movements can protect the public against criminals and terrorists, there will be a strong political will to do the same with street cameras designed to monitor the flow of human traffic.

I’ve already written about the security risks of what I call “wholesale surveillance.” Once this information is collected, it will be misused, lost, and stolen. It will be filled with errors. The problems and insecurities that come from living in a surveillance society more than outweigh any crimefighting (and terrorist-fighting) advantages.

Posted on December 22, 2005 at 2:41 PM • View Comments

Cybercrime Pays

This sentence jumped out at me in an otherwise pedestrian article on criminal fraud:

“Fraud is fundamentally fuelling the growth of organised crime in the UK, earning more from fraud than they do from drugs,” Chris Hill, head of fraud at the Norwich Union, told BBC News.

I’ll bet that most of that involves the Internet to some degree.

And then there’s this:

Global cybercrime turned over more money than drug trafficking last year, according to a US Treasury advisor. Valerie McNiven, an advisor to the US government on cybercrime, claimed that corporate espionage, child pornography, stock manipulation, phishing fraud and copyright offences cause more financial harm than the trade in illegal narcotics such as heroin and cocaine.

This doesn’t bode well for computer security in general.

Posted on November 30, 2005 at 6:05 AM • View Comments

Ex-MI5 Chief Calls ID Cards "Useless"

Refreshing candor:

The case for identity cards has been branded “bogus” after an ex-MI5 chief said they might not help fight terror.

Dame Stella Rimington has said most documents could be forged and this would render ID cards “useless”.

[…]

She said: “ID cards have possibly some purpose.

“But I don’t think that anybody in the intelligence services, particularly in my former service, would be pressing for ID cards.

“My angle on ID cards is that they may be of some use but only if they can be made unforgeable – and all our other documentation is quite easy to forge.

“If we have ID cards at vast expense and people can go into a back room and forge them they are going to be absolutely useless.

“ID cards may be helpful in all kinds of things but I don’t think they are necessarily going to make us any safer.”

Posted on November 18, 2005 at 6:48 AM • View Comments

Sony Secretly Installs Rootkit on Computers

Mark Russinovich discovered a rootkit on his system. After much analysis, he discovered that the rootkit was installed as a part of the DRM software linked with a CD he bought. The package cannot be uninstalled. Even worse, the package actively cloaks itself from process listings and the file system.

At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn’t uninstall. Now I was mad.

Removing the rootkit kills Windows.

Could Sony have violated the the Computer Misuse Act in the UK? If this isn’t clearly in the EULA, they have exceeded their privilege on the customer’s system by installing a rootkit to hide their software.

Certainly Mark has a reasonable lawsuit against Sony in the U.S.

EDITED TO ADD: The Washington Post is covering this story.

Sony lies about their rootkit:

November 2, 2005 – This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers.

Their update does not remove the rootkit, it just gets rid of the $sys$ cloaking.

Ed Felton has a great post on the issue:

The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they’re not just taking away the rootkit-like function—they’re almost certainly adding things to the system as well. And once again, they’re not disclosing what they’re doing.

No doubt they’ll ask us to just trust them. I wouldn’t. The companies still assert—falsely—that the original rootkit-like software “does not compromise security” and “[t]here should be no concern” about it. So I wouldn’t put much faith in any claim that the new update is harmless. And the companies claim to have developed “new ways of cloaking files on a hard drive”. So I wouldn’t derive much comfort from carefully worded assertions that they have removed “the … component .. that has been discussed”.

And you can use the rootkit to avoid World of Warcraft spyware.

World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG’s content protection software can make tools made for cheating in the online world impossible to detect.

EDITED TO ADD: F-Secure makes a good point:

A member of our IT security team pointed out quite chilling thought about what might happen if record companies continue adding rootkit based copy protection into their CDs.

In order to hide from the system a rootkit must interface with the OS on very low level and in those areas theres no room for error.

It is hard enough to program something on that level, without having to worry about any other programs trying to do something with same parts of the OS.

Thus if there would be two DRM rootkits on the same system trying to hook same APIs, the results would be highly unpredictable. Or actually, a system crash is quite predictable result in such situation.

EDITED TO ADD: Declan McCullagh has a good essay on the topic. There will be lawsuits.

EDITED TO ADD: The Italian police are getting involved.

EDITED TO ADD: Here’s a Trojan that uses Sony’s rootkit to hide.

EDITED TO ADD: Sony temporarily halts production of CDs protected with this technology.

Posted on November 1, 2005 at 10:17 AM • View Comments

ATM Fraud and British Banks

An absolutely great story about phantom ATM withdrawals and British banking from the early 90s. (The story is from the early 90s; it has just become public now.) Read how a very brittle security system, coupled with banks using the legal system to avoid fixing the problem, resulted in lots of innocent people losing money to phantom withdrawals. Read how lucky everyone was that the catastrophic security problem was never discovered by criminals. It’s an amazing story.

See also Ross Anderson’s page on phantom withdrawals.

Oh, and Alistair Kelman assures me that he did not charge 1,750 pounds per hour, only 450 pounds per hour.

Posted on October 24, 2005 at 7:16 AM • View Comments

UK Terrorism Law Used for Non-Terrorism Purposes

The U.K. has used terrorism laws to stifle free speech; now it’s using them to keep pedestrians off bicycle paths.

With her year-round tan, long blonde hair and designer clothes, Sally Cameron does not look like a threat to national security.

But the 34-year-old property developer has joined the ranks of Britain’s most unlikely terrorist suspects after being held for hours for trespassing on a cycle path.

And also to prevent people from taking pictures of motorways:

A Hampshire student was stopped and warned by police under new anti-terror laws—for taking pictures of the M3.

Matthew Curtis had been gathering images for the website of a design company where he works part-time when he was stopped, searched and cautioned.

The 21-year-old was told that he was in a “vulnerable area” as he snapped pictures of the M3 and was made to account for his actions before he was issued with a warning and told not to do it again.

Officers, who had quoted the Prevention of Terrorism Act, today apologised for causing concern but say they were just being vigilant.

I get that terrorism is the threat of the moment, and that all sorts of government actions are being justified with terrorism. But this is ridiculous.

Posted on October 19, 2005 at 12:04 PM • View Comments

Terrorism Laws Used to Stifle Political Speech

Walter Wolfgang, an 82-year-old political veteran, was forcefully removed from the UK Labour party conference for calling a speaker, Jack Straw, a liar. (Opinions on whether Jack Straw is or is not a liar are irrelevant here.) He was later denied access to the conference on basis of anti-terror laws. Keep in mind that as recently as the 1980s, Labour Party conferences were heated affairs compared with today’s media shows.

From The London Times:

A police spokeswoman said that Mr Wolfgang had not been arrested but detained because his security accreditation had been cancelled by Labour officials when he was ejected. She said: “The delegate asked the police officer what powers he was using. The police officer responded that he was using his powers under Section 44 of the Terrorism Act to confirm the delegate’s details.”

Also this:

More than 600 people were detained under the Terrorism Act during the Labour party conference, it was reported yesterday.

Anti-Iraq war protesters, anti-Blairite OAPs and conference delegates were all detained by police under legislation that was designed to combat violent fanatics and bombers – even though none of them was suspected of terrorist links. None of those detained under Section 44 stop-and-search rules in the 2000 Terrorism Act was arrested and no-one was charged under the terrorism laws.

Walter Wolfgang, an 82-year-old Jewish refugee from Nazi Germany, was thrown out of the conference hall by Labour heavies after heckling the Foreign Secretary, Jack Straw.

When he tried to get back in, he was detained under Section 44 and questioned by police. The party later apologised.

But the Home Office has refused to apologise for heavy-handed tactics used at this year’s conference.

A spokesman insisted: “Stop and search under Section 44 is an important tool in the on-going fight against terrorism.

“The powers help to deter terrorist activity by creating a hostile environment for terrorists.”

He added that the justification for authorising the use of the powers was “intelligence-led and based on an assessment of the threat against the UK.”

The shadow home secretary, David Davis, said: “Laws that are designed to fight terrorism should only be used against terrorism.”

Posted on October 10, 2005 at 8:13 AM • View Comments

Watches a Security Threat

At Labour’s Brighton conference in the UK, security screeners are making people take their watches off and run them through the scanner. Why? No one seems to know.

My guess is that it began as this story about altimeter watches, and then got exaggerated in the retelling.

Posted on September 29, 2005 at 3:34 PM • View Comments

Man Arrested for Being A Computer Nerd

In this disturbing story, a man is arrested in the London subways as a terrorist because, well because he was acting like a computer nerd.

At least the police didn’t shoot to kill.

EDITED TO ADD: This picture was supposedly taken in the London Tube a few weeks after the first set of bombings.

EDITED TO ADD: Snopes says that the picture is a fake.

Posted on September 26, 2005 at 12:12 PM • View Comments

←Previous 1 … 14 15 16 17 18 19 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.