The Sys-Security Group

While attending EUSecWest I enjoyed a chat with Adam Laurie of the trifinite group. Adam demonstrated some techniques allowing him to clone the new UK biometric passports. The fun part of it was that Adam was given a brand new passport  (by a Daily Mail reporter) in its envelope, and he was able to pull the details of that passport without opening the envelope. If wanted, Adam could have also clone the passport.

So what does the RFID chip on the Passport contains?

“Encoded on the passport’s RFID chip are three important files. One contains an electronic copy of the printed information on the passport’s photo page; the second holds the electronic image of the holder’s photo. The third is a security device which checks that the previous two files are not accessed and altered.”

The key needed to access the RFID chip is a 24-digit code, which is printed at the bottom line of the passport’s Machine Readable Zone (MBZ).

When an immigration officer swipes the passport it reveals the MBZ code, allowing him to access the information stored on the RFID chip.

The problem is that the MBZ code can be easily determined (The MBZ contains information such as the passport holder’s birth date, passport expiration date, ID number, etc.). Since most of the parameters used for the MBZ are known, and that the RFID chip allows the enumeration of the chip without any defense mechanism (i.e after 3 non-successful read attempts…), brute forcing the key is possible.

I had taken a look at my passport. Although it is not an RFID-based passport I wanted to see how predictable the MBZ is. To say at least the MBZ is not a good idea to use.

The problems associated with this vulnerability include identity theft and other more scary issues.

More information can be found here (The Daily Mail), here (The Register) and here (The Register).

Tim Green’s latest article at Network World titled “Security takes time” discusses the NAC admission process and patience of users.

Tim argues that a longer NAC admission (and remediation) process might trigger a user to be impatient and not use the network resources.

I generally agree with the assumption that the NAC admission process of an element to the network should not take long. But, I believe Tim may have mixed up several things in his article.

Tim writes about NAC admission, the process of evaluating whether a new element attached to the network complies with a defined security policy. The process might include examining service pack information, patches installed, installed applications, running applications, A/V (installed, running, updated), FW status and more.

This is Admission.

If the element does not comply with the network admission security policy, the user, or the NAC solution, should remediate the issues preventing the element from accessing the network.

This is remediation. And here Tim mixes up two issues, self-remediation and automatic remediation.

If the user is to perform self-remediation, time is less problematic. It is since the user must be aware that s/he needs to take an action in order to access the network. During the remediation process the user is made aware of what exactly is happening with its system and what it is undergoing (and why it takes longer to access the network).

If automatic remediation is performed the user will not always be knowledgeable of the processes running in the background causing its machine not to connect to the network. This, in some cases, would result with users getting impatient not understanding what is going on.

This is what Tim Green suggests to his readers:

“… Customers should also test the gear with end users in various departments to find out whether the technology eats up too much time for some users, and whether some dispensation from NAC should be allowed in critical cases.”

NAC, according to my definition, is a security and compliance solution. The fact that an element is checked to verify it is inline with the network access security policy of an organization means that a certain risk to the stability and integrity of the enterprise LAN is minimized. When we start to put exceptions to the rule, we end up where some organizations are – lack of control over the enterprise LAN.

If we will take into account user complaints with security-based products we will never have them in place (i.e. firewall blocking P-2-P applications).

The release of the Core security advisory regarding a remote kernel buffer overflow with OpenBSD’s IPv6 implementation is an indicator of what is expected to come next regarding the security and stability of IPv6 stack implementations.

In my opinion, when (and if) IPv6 will become more widely adopted and exposed we will experience an increase with this type of advisories and consequently with the number of incidents involving stack implementations of IPv6.

As more security researches will have the opportunity to examine and test IPv6 stack implementations questioning their strengths and weaknesses we should expect a number of these advisories with regards to the stability and security of these implementations.

It would take some time until the majority of theses issues will be exposed to the public and fixed, like with any other technology, which is new.

The truth is that I still can’t understand Apple regarding the pre-mature announcement about the iPhone. Not only that this is the first time Apple announces a new product well before it is going to be available on the market (6 months) but this is the first time Apple is revealing all of the features and capabilities of a new product well before it is available.

The iPhone is not a revolution - the opposite is the truth.

I believe consumers will find the iPhone disappointing not only due to the enormous hype around it and the high expectations but also because of its features (and the lack of). After the cool factor will diminish and the features and capabilities will be compared to other smart phones available on the market the iPhone will not be declared as the smart phone of all smart phones. On the contrary.

Why? Well, Apple is not a mobile phone company. This suggests that with the first generation of iPhones some mistakes may be made. One good example is with the battery which is an integral part of the phone…

Another mistake, in my opinion, is with sticking with a single operator. Why not learning from the HTC module? When HTC understood that its mobile phones are such a hot commodity they started selling their own brand along side with their old business of OEMing their phones to the largest operators in the world. In fact my mobile phone is made by HTC. If I wish to use an HTC mobile phone I can do this on any network I would like (as long as it is not CDMA).

But the next list of issues is even worse for Apple. The lack of voice dialing, 3G Internet access, Word or Excel support, the fact it can’t be used as a laptop modem, no support for removable memory, no 3rd party applications, and mostly that its calendar, task, and e-mail will not sync with Microsoft outlook.
In my opinion the iPhone is not a miracle, and it is a mobile phone. which now trails after the existing mobile phone, and in 6 months this situation would even be worst.

What would do the iPhone for Apple? I am not sure, but I sincerely hope it will not be Apple’s biggest mistake.

A year after year (and sometimes only some months in between) I have been updating my line of iPods. I can see them stacked here, from the first generation of the iPod to the new iPod shuffle.

The one I did not get in the process is the iPod Video. Actually when I examined the iPod video I could not understand what the whole enthusiasm is about. I can’t still understand who wants to watch movies on a 2.5inch screen.

It would actually be interesting to study how many of those people who had bought the iPod video are actually using the video functionality of the iPod video or just bought it since it has a cool factor.

Although I got the new iPod shuffle and I own the nano I am not please with those. It just irritates me that for a lot more money you get less technology/features.

So, lately I was wondering which new MP3 player should I get. Finally I got the new Sony S2 sports walkman (the 2GB version). Compared to the iPod it has a screen, although one line but usable. It has a build in FM tuner, and it is able to report various information regarding your sports activities. What I like the most is that for 3 hours of playing songs I only need 3 minutes of charging.

Sure, there are some drawbacks, like no software for my MAC OS X, but still as a whole this is a better player, with more features, the same price (the 1GB version is 80USD), and with a better quality player.

I believe that there are other people like me who are disappointed at what Apple has to offer them currently with the iPod player line of products. Just look at Archos’s new 604 player and you will understand what I am talking about.