White Hat Hackers Break Into a Car Dealership

Autoblog links to a fascinating set of video clips from TruTV on a set of white hat hackers (in short, the good kind of hackers who want to improve security) who had been hired by an exotic car dealership to try to break in:

Symbolic Motors in La Jolla, CA wanted to test out its security systems and hired the “Tiger Team” to see if they could break into their showroom full of exotic cars. truTV watched on with video cameras in hand to see if they could do it undetected.[…]

I found it pretty captivating, but what really caught my eye was the degree to which social engineering played a part. Sure, there was still lock-picking and other physical security work-arounds, but I’m not sure the ploy would have worked without the unknowing assistance of the business’ own employees.

Bruce Schneier on the Security of ID Checks

Bruce Schneier is a cryptographer and the founder & CTO of Counterpane Internet Security. I came to know about him from one his earlier books, Applied Cryptography (I had an interest in cryptography at the time and I still do). In any case, I respect his viewpoints on security and cryptography.

I recently found an article written by Schneier for the San Francisco Chronicle on the false sense of security that ID cards can provide. I’ve never particularly felt an extra sense of security from having my ID checked all the time (airports and elsewhere) and Schneier put into words some reasoning behind that:

First, verifying that someone has a photo ID is a completely useless security measure. All the Sept. 11 terrorists had photo IDs. Some of the IDs were real. Some were fake. Some were real IDs in fake names, bought from a crooked DMV employee in Virginia for $1,000 each. Fake driver's licenses for all 50 states, good enough to fool anyone who isn’t paying close attention, are available on the Internet. Or if you don’t want to buy IDs online, just ask any teenager where to get a fake ID.

Harder-to-forge IDs only help marginally, because the problem is not making sure the ID is valid. This is the second myth of ID checks: that identification combined with profiling can be an indicator of intention. […]

In short, checking IDs doesn’t help much since they could be forged. And, even if an ID is too difficult to forge, confirming an identity doesn't automatically stop crimes — even if IDs are checked against a list of known “bad guys”, the Bad Organizations could still recruit minions that aren’t yet on any Bad Lists. Schneier’s reasoning makes sense to me, but something tells me we won’t be doing away with ID checks at airports any time soon ;).

RC5-64 Success!

As mentioned on Slashdot the Distributed.net effort has found the key in RSA’s RC5-64 challenge!

For those not familiar with the project, the security and encryption company RSA sponsored a contest to find a “key” to one of their cyphers. And, due to the nature of electronic cryptography, the only way to find the correct key was to try all the possible keys in the lock.

This technique would be similar to going to a Make-A-Key kiosk and having all the possible key combinations made for a padlock, then trying each key one-by-one. Eventually, you’ll find the right key to that lock. Because the method was only trial-and-error, even though you would have found the key to that particular padlock, the padlocks of the type would be no less secure.

RSA held this contest to demonstrate the power of a coordinated group of volunteers, and to encourage companies and governments to use the company’s more complicated cyphers. After all, you wouldn’t want your business’ secrets encrypted by an algorithm to which a group of volunteers found the key, eh? ;)

SSL Defeated in IE and Konqueror

From The Register, anyone with a valid VeriSign SSL site certificate can forge any other VeriSign SSL site certificate in IE and Konqueror:

A chain is formed when an intermediate certificate is trusted between server and client. Supposedly, the intermediate is accepted only if it’s signed by the certificate authority as safe for the purpose. If it’s merely signed by another certificate’s key, it ought not to be trusted, or at least the user should be warned. Unfortunately, due to a preposterous security engineering oversight, IE and Konqueror don't bother to check this [&hellip]

Mozilla isn’t affected, as usual, though the author chides Mozilla as if maybe it’s a Mozilla quirk that is preventing the exploit. I would hope that The Register’s authors wouldn’t have such uninformed preconceptions :-/.

Defeating the Passenger Screening System

Samidh Chakrabarti and Aaron Strauss have written a paper “Carnival Booth: An Algorithm for Defeating the Computer-Assisted Passenger Screening System”. As with any paper, it can be a bit wordy at times, but the majority of it is quite readable. And, with any luck, Declan McCullagh will write-up a summary article in the next few days.

This transparency is the Achilles’ Heel of CAPS; the fact that individuals know their CAPS status enables the system to be reverse engineered. You, like Simonyi, know if you’re carryons have been manually inspected. You know if you’ve been questioned. You know if you’re asked to stand in a special line. You know if you’ve been frisked. All of this open scrutiny makes it possible to learn an anti-profile to defeat CAPS, even if the profile itself is always kept secret. We call this the “Carnival Booth Effect” since, like a carnie, it entices terrorists to “Step Right Up! See if you’re a winner!” In this case, the terrorist can step right up and see if he�s been flagged. […]

Rock.