Comments on: Weaknesses in Wiegand http://www.sindark.com/2009/06/19/weaknesses-in-wiegand/ Temporarily Torontonian Fri, 10 Feb 2012 16:08:33 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: . http://www.sindark.com/2009/06/19/weaknesses-in-wiegand/#comment-79239 . Fri, 19 Jun 2009 21:45:44 +0000 http://www.sindark.com/?p=5772#comment-79239 Meet Chris Paget, a hacker who believes that people shouldn't be tagged with RFIDs. He spent a productive day driving around San Francisco, sniffing and cloning mountains of RFID-equipped US passports and driver's licenses. The equipment to accomplish this feat cost him $250. When we debate the risks associated with RFID-equipped IDs, we usually focus on what happens when the government can follow us around everywhere -- but the real risk may be that crooks, marketing creeps and various unaffiliated snoops will do this instead. <a href="http://www.boingboing.net/2009/02/02/us-passports-can-be.html" rel="nofollow">Cloning passport card RFIDs in bulk for under $250</a> Meet Chris Paget, a hacker who believes that people shouldn’t be tagged with RFIDs. He spent a productive day driving around San Francisco, sniffing and cloning mountains of RFID-equipped US passports and driver’s licenses. The equipment to accomplish this feat cost him $250. When we debate the risks associated with RFID-equipped IDs, we usually focus on what happens when the government can follow us around everywhere — but the real risk may be that crooks, marketing creeps and various unaffiliated snoops will do this instead.

Cloning passport card RFIDs in bulk for under $250

]]> By: . http://www.sindark.com/2009/06/19/weaknesses-in-wiegand/#comment-79227 . Fri, 19 Jun 2009 18:52:08 +0000 http://www.sindark.com/?p=5772#comment-79227 <a href="http://www.stratfor.com/weekly/20090617_security_places_worship_more_matter_faith" rel="nofollow">Security Means More than Alarms and Locks</a> An effective security program is more than just having physical security measures in place. Like any man-made constructs, physical security measures — closed-circuit television (CCTV), alarms, cipher locks and so forth — have finite utility. They serve a valuable purpose in institutional security programs, but an effective security program cannot be limited to these things. Devices cannot think or evaluate. They are static and can be observed, learned and even fooled. Also, because some systems frequently produce false alarms, warnings in real danger situations may be brushed aside. Given these shortcomings, it is quite possible for anyone planning an act of violence to map out, quantify and then defeat or bypass physical security devices. However, elaborate planning is not always necessary. Consider the common scenario of a heavy metal door with very good locks that is propped open with a trashcan or a door wedge. In such a scenario, an otherwise “secure” door is defeated by an internal security lapse. However, even in situations where there is a high degree of threat awareness, there is a tendency to place too much trust in physical security measures, which can become a kind of crutch — and, ironically, an obstacle to effective security. In fact, to be effective, physical security devices always require human interaction. An alarm is useless if no one responds to it, or if it is not turned on; a lock is ineffective if it is not engaged. CCTV cameras are used extensively in corporate office buildings and some houses of worship, but any competent security manager will tell you that, in reality, they are far more useful in terms of investigating a theft or act of violence after the fact than in preventing one (although physical security devices can sometimes cause an attacker to divert to an easier target). Security Means More than Alarms and Locks

An effective security program is more than just having physical security measures in place. Like any man-made constructs, physical security measures — closed-circuit television (CCTV), alarms, cipher locks and so forth — have finite utility. They serve a valuable purpose in institutional security programs, but an effective security program cannot be limited to these things. Devices cannot think or evaluate. They are static and can be observed, learned and even fooled. Also, because some systems frequently produce false alarms, warnings in real danger situations may be brushed aside. Given these shortcomings, it is quite possible for anyone planning an act of violence to map out, quantify and then defeat or bypass physical security devices. However, elaborate planning is not always necessary. Consider the common scenario of a heavy metal door with very good locks that is propped open with a trashcan or a door wedge. In such a scenario, an otherwise “secure” door is defeated by an internal security lapse.
However, even in situations where there is a high degree of threat awareness, there is a tendency to place too much trust in physical security measures, which can become a kind of crutch — and, ironically, an obstacle to effective security.

In fact, to be effective, physical security devices always require human interaction. An alarm is useless if no one responds to it, or if it is not turned on; a lock is ineffective if it is not engaged. CCTV cameras are used extensively in corporate office buildings and some houses of worship, but any competent security manager will tell you that, in reality, they are far more useful in terms of investigating a theft or act of violence after the fact than in preventing one (although physical security devices can sometimes cause an attacker to divert to an easier target).

]]> By: Milan http://www.sindark.com/2009/06/19/weaknesses-in-wiegand/#comment-79226 Milan Fri, 19 Jun 2009 18:31:52 +0000 http://www.sindark.com/?p=5772#comment-79226 RFID has lots of problems, and putting it in passports is especially stupid. It is easy to scan a passport using a physical or optical reader. Making them readable at a distance by radio is just dangerous. More on RFID:<ul> <li><a href="http://www.sindark.com/2008/01/06/mifare-rfid-tags-reverse-engineered/" rel="nofollow">Mifare RFID tags reverse engineered</a></li> <li><a href="http://www.sindark.com/2008/09/12/rfid-tinkering-kit/" rel="nofollow">RFID tinkering kit</a></li> <li><a href="http://www.sindark.com/2008/01/24/mastercard-and-rfid/" rel="nofollow">Mastercard and RFID</a></li> <li><a href="http://www.sindark.com/2008/03/14/oyster-cards-cracked/" rel="nofollow">Oyster cards cracked</a></li> </ul> RFID has lots of problems, and putting it in passports is especially stupid. It is easy to scan a passport using a physical or optical reader. Making them readable at a distance by radio is just dangerous.

More on RFID:

]]> By: Alison http://www.sindark.com/2009/06/19/weaknesses-in-wiegand/#comment-79225 Alison Fri, 19 Jun 2009 18:26:04 +0000 http://www.sindark.com/?p=5772#comment-79225 This reminds me of the problems of enhanced drivers licenses. Some proposals for EDLs what to place RFID chips in licenses; at border crossings and other places where ID needs to validated, the license is swept against a card reader. The hardware for making a reader is very cheap, and unencrypted information is easily accessed. This reminds me of the problems of enhanced drivers licenses. Some proposals for EDLs what to place RFID chips in licenses; at border crossings and other places where ID needs to validated, the license is swept against a card reader. The hardware for making a reader is very cheap, and unencrypted information is easily accessed.

]]>