Monday, August 17, 2009

Bourne Incrimination - bio identity theft, the next big problem

It was only a matter of time before it became possible to create fake DNA evidence. That time is now.

DNA Evidence Can be Fabricated [New York Times]

Think it's bad when somebody steals your identity, drains your bank account, and spends thousands of dollars on credit cards they opened with your name on it? This run of the mill identity theft can cost you thousands of dollars, and many years to clean up. It pales in comparison to what will happen if biometric data becomes commonly used as proof of identity. Sometimes also called bio-print (like fingerprint) or bio-identity mechanisms, such things as retina scans and fingerprint scans are already in use, or even common use. DNA scans are likely to become possible several years from now, as the technology to read DNA is evolving rapidly. An entire genome can be sequenced by three people and equipment costing a few hundred thousand dollars, in a very short period of time, several days. When it become possible to read DNA in more or less real time, people will undoubtedly clamor to use it as an identity mechanism, for bank access, for voting, and who knows what else.

Even (or perhaps long, if you doubt that day is near) before that's possible, databases will be filled with your DNA sequences, because it will be valuable to you and your doctor. Unless we get unexpectedly better at protecting data, those databases will be protected by the same organizations, people, and technologies which today fail to protect your simple text based identity -- your name, date of birth, social security number, address, and phone number.

With current technology, you can engineer a crime scene. You can make it look like a specific, innocent person committed a homicide, for example. The technology required to do so remains expensive, but it's well within the reach of governments, and the capabilities of research labs.

If you're writing the next hollywood script for Jason Bourne or James Bond, keep your eye on this stuff. It's moving faster than Hollywood.

Tuesday, June 02, 2009

Master Lock Pickers and the Security Mirage

If you ever doubted that the lock on your door was in place to keep out the kids, doubt no more. This fascinating article details one of the world's top lock pickers.

The Ultimate Lock Picker Hacks Pentagon, Beats Corporate Security for Fun and Profit

A good friend of mine has been picking locks as a hobby most of his life. This is a skill that can be learned by any bright, patient person.

It's a safe bet there are more people around who know how to pick locks than there are people getting paid to rethink the lock and key.

Monday, May 18, 2009

on cyber warfare, China, Kylin

Yes, the Washington Times is not exactly a premier source of security information, but with analysis and reporting like this, who needs enemies? Two fascinating tidbits from this article: China blocks U.S. from cyber warfare.

The first is an absolutely classic Freudian slip:

U.S. offensive cyberwar capabilities have been focused on getting into Chinese government and military computers outfitted with less secure operating systems like those made by Microsoft Corp. (This observation isn't attributed in the article.)

That ought to have you rolling on the floor, laughing, until you realize that these are the very same "less secure operating systems like those made by Microsoft Corp." which the bureaucrats at every level of Federal, State, and local governance in the U.S. have been "standardizing" on. Then your sphincters pucker.

The point of the article is that the Chinese have developed and deployed their own operating system and "hardened" CPU architecture to run it on, and have been deploying it on Chinese government and military systems, rendering substantial portions of the the U.S. strategy for cyber counter-attack irrelevant. Various security "experts" testified before Congress to raise some alarms.

Perhaps it's just poor reporting, but these crack security experts seem to be under the impression that this Kylin thing is mysterious, and don't seem to have noticed that Kylin appears to be a hardened version of FreeBSD (an open source operating system), and that you can apparently download versions of it with a quick google search (see: Some random blogger with links to Kylin iso images.)

Which makes the next bit from this article even more amusing. This statement is attributed to Kevin G. Coleman, but this is the Washington Times, who knows if poor Mr. Coleman actually said any such thing this silly:

U.S. operating system software, including Microsoft, used open-source and offshore code that makes it less secure and vulnerable to software "trap doors" that could allow access in wartime, he explained

Of course, no real security expert would ever mean to imply that Microsoft's security issues were primarily, or even in any meaningful way at all, based on open-source software. Microsoft has used tiny amounts of BSD code in their network stack, but Microsoft's security problems are of their own, proprietary making, and everyone who can spell CISSP or SANS knows that.

The take home lessons:
  1. do a google search before you try to panic the Congress, and
  2. if FreeBSD derivatives can be secured such that people panic when China deploys them, maybe U.S. government agencies ought to re-think their obsession and love affair with the less secure Microsoft systems, with which they have been utterly failing to protect U.S. Government assets, secrets, and infrastructure, according to other testimony reported in this and other articles, and perhaps
  3. rather than inciting panic, somebody ought to be downloading those ISO images, installing Kylin, and running some automated tools against its network services, looking for buffer overflow exploits.