DHS releases top terrorist targets list

(via Schneier’s security blog)
Our government has wisely used our tax money to carefully analyze potential terrorist targets, narrowing the list from 160 targets a few years ago to a mere 77,000 targets now.  In case you are wondering if you are near a top terrorist target site, here are a few details from the linked article.

When it comes to homeland security, I give up.

I’ve tried to highlight the absurdity of trying to protect every cranny of our country from al-Qaida attack. I’ve critiqued everything from the waste of buying anti-terrorist locks for Sammamish City Hall to the illogic of not having security cameras outside our airport. And yes, I’ve resorted to that columnist stock-in-trade: mocking and satirizing.

. . .

And on that list of national assets are … 1,305 casinos! No doubt Muckleshoot made the cut (along with every other casino in our state).

The list has 234 restaurants. I have no idea if Dick’s made it. The particulars are classified. But you have to figure it did.

Why? Because here’s more of what the inspector general found passes for “critical infrastructure.” An ice-cream parlor. A tackle shop. A flea market. An Amish popcorn factory.

. . .

And yet … there is one more thing that’s got me wondering. The report says our state boasts 65 “national monuments and icons” — somehow twice as many as Washington, D.C.

There you have it.  Washington state has twice as many national monuments and icons as Washington, D.C.  I left out mention of the 700 critical mortuaries that are top terrorist targets, by the way.  I wonder if this list is an accurate view of what the federal government truly views as hot spots for terrorist attack, or just a big list of places where our congress-critters feel money needs to be spent on influential voters?

[tags]Top terrorist targets, Idiocy in government, OMGWTFBBG?!!1?![/tags]

Ooops! State department pwnz0rr3d.

(via boingboing)

Some days, things just don’t go your way. For the people responsible for US State Department computer and network security, it looks like that day was at least one day last month.

WASHINGTON (AP) — The State Department is recovering from large-scale computer break-ins worldwide over the past several weeks that appeared to target its headquarters and offices dealing with China and North Korea, The Associated Press has learned.

I’ve worked computer security at government sites before.  This is the nightmare I think everyone at those sites has at least some times.

Investigators believe hackers stole sensitive U.S. information and passwords and implanted backdoors in unclassified government computers to allow them to return at will, said U.S. officials familiar with the hacking.

. . .

“The department did detect anomalies in network traffic, and we thought it prudent to ensure our system’s integrity,” department spokesman Kurtis Cooper said. Asked what information was stolen by the hackers, Cooper said, “Because the investigation is continuing, I don’t think we even know.” Continue reading Ooops! State department pwnz0rr3d.

Star Wars, miniaturized

(via Engadget)

Reagan’s Star Wars program never really took off. That doesn’t mean it was a bad idea – it just wasn’t technologically feasible at the time. Time marches on, technology gets better, and some smart cookies come up with less-ambitious projects with similar goals.

WASHINGTON (Reuters) — Northrop Grumman forecast Wednesday a potential “very large” market for a laser-based system it has developed to shield airports and other installations from rockets, ballistic missiles and other threats.

Los Angeles-based Northrop (Charts) said it had already pitched the system, called Skyguard, to Israel, which worked with the company and the Army to develop the technology.

Northrop also is pushing Skyguard – described as capable of generating a shield five kilometers in radius – to each of the armed services and the Department of Homeland Security, company executives told a news briefing.

The technology looks to be in the $25-30 million per installation range.  Once produced in large quantities, that is.  And here’s the current sticking point:

For the United States, an initial unit could be ready in 18 months for $150 million to $200 million, added Dan Wildt, Northrop’s director of business development for directed energy systems.

Ahhhh, the ever elusive 18 month ready-date.  This is cool technology, really.  And if it comes together and really works, I could see instances where the cost is justifiable.  But as folks who know me can attest, I’m always skeptical of gee-whiz products with availability dates more than a few months out.  Not that I doubt this will happen – just that I doubt it will happen in the estimated time frame at the estimated price.

[tags]Northrop Grumman, Missile defense shield, Laser shield[/tags]

RFID passports (finally) coming soon to the US

(via Engadget)
The US State Department appears to finally think it is ready to issue e-Passports to Americans. Privacy advocates, security specialists, techie-weenies, and sensible people everywhere object, but in typical government manner, the State Department doesn’t care. “Nyah, Nyah!” appears to be the message.

Here’s the gist of it:

They’ll have radio frequency identification (RFID) tags and are meant to cut down on human error of immigration officials, speed the processing of visitors and safeguard against counterfeit passports.

Yet critics are concerned that the security benefit of RFID technology, which combines silicon chips with antennas to make data accessible via radio waves, could be vastly outweighed by security threats to the passport holder.

Making RFID tags usable but not abusable is a tough problem (right up there with solving Fermat’s last theorem, honestly). The technology will likely speed border checks and such, but by the very nature of the technology, they will be abusable and likely very insecure.

“Basically, you’ve given everybody a little radio-frequency doodad that silently declares ‘Hey, I’m a foreigner,'” says author and futurist Bruce Sterling, who lectures on the future of RFID technology. “If nobody bothers to listen, great. If people figure out they can listen to passport IDs, there will be a lot of strange and inventive ways to exploit that for criminal purposes.”

. . .

“The basic problem with RFID is surreptitious access to ID,” said Bruce Schneier security technologist, author and chief technology officer of Counterpane Internet Security, a technology security consultancy. “The odds are zero that RFID passport technology won’t be hackable.”

. . .

In May, researchers at the University of Tel Aviv created a skimmer from electronics hobbyist kits costing less than $110. The equipment was small enough to fit into a briefcase or be disguised in any manner of luggage or clothes that could hide the 15-inch copper tube antenna.

The antenna boosts the read-range from a few inches to a few feet. To extend the range of surreptitious access much further, a second piece of equipment is needed to fake the RFID reader into sending a “read” signal, which is then relayed via radio waves to the skimmer’s reader near the targeted RFID chip.

. . .

U.S. passports are issued for ten years, which means the RFID chip technology of those passports, along with their vulnerabilities, will be floating around for a decade. Technology would have to “stop cold” Schneier of Counterpane says for improvements in skimming and hacking equipment not to occur.

Schneier has talked about this before in his Crypto-Gram newsletter.

In 2004, when the U.S. State Department first started talking about embedding RFID chips in passports, the outcry from privacy advocates was huge. When the State Department issued its draft regulation in February, it got 2,335 comments, 98.5% negative. In response, the final State Department regulations, issued last month, contain two features that attempt to address security and privacy concerns. But one serious problem remains.

It’s still a hard problem to solve, and none of the security experts I trust have bought in to the project yet. Until I see someone like Schneier say “This is well done, with measures which should prevent unauthorized access.” I’m not liking it. Oh, and a little hint – it’s not likely any such expert will say any such thing any time soon.

[tags]RFID passports, e-passports, Identity theft[/tags]

Build your own proximity detector

(via MAKEzine blog)

proximity-detector.jpg

Come on!!!! You know you want one! Here’s my thinking on this project – build this, figure how to link it to your PC, and put up a couple around your cubicle at work. Suddenly, no one can surprise you by sneaking up to your cube because they are too short to see and detect over the wall. The Instructables guide mentions hooking it up to a sound playback device, but I think if you could hook it up via USB and write a driver to make a pop-up onscreen whenever the detector activates, you’d have a nearly perfect boss-detection-system (BDS) for work use.

[tags]MAKEzine, Proximity detector, DIY projects[/tags]

Automated Master Lock crackers

I don’t link to Hack-a-Day very often, which is shameful on my part, as it’s an excellent site.  The latest article that caught my eye is one on Master Lock automated “cracking” machines.  And if you aren’t interested in the robotic crackers, there’s a link to a guide on opening these locks yourself in about 10 minutes.
[tags]Locks, Master Locks, Lock cracking[/tags]

Why you should destroy your own hard drives

This Security Awareness article is old news now, but still required reading if you missed it the first go around. The basis of the story is simple – a couple paid for an upgraded hard drive on their system and received assurances from the Best Buy techs that the drive would be destroyed so no one could recover their information from the drive.

“They said rest assured. They drill holes in it so it’s useless,” said Gerbus.

A few months ago, Gerbus got a phone call from a man in Chicago.

“He said, ‘My name is Ed. I just bought your hard drive for $25 at a flea market in Chicago,” said Gerbus. “I thought my world was coming down.”

Hmmmmm. That’s doesn’t sound to me like the drive was destroyed with holes drilled in it. It does sound like Ed was decent and wasn’t going to steal the couples’ identities. But one can never be too careful.

“He said, ‘Do you want me to wipe it clean or send it to you?’ I told him to send it to me. I wanted it in my hands,” said Gerbus.

Gerbus received the hard drive a few weeks later.

As a precaution, the couple alerted the major credit bureaus to protect their information.

“I’m not leaving myself open to indentity theft,” said Gerbus.

Target 5’s Tom Sussi contacted Best Buy to figure out how the Gerbus’ hard drive wound up at a flea market outside Chicago.

In case you are wondering, Best Buy promises to investigate the matter.  I haven’t heard anything since this story first ran, so I don’t know what Best Buy found as the cause.

[tags]Security, Data destruction, Best Buy[/tags]

Common passwords

(via Schneier on Security)
If you have ever wondered how well brute-force password attack attempts are, you should check out this bit about a password audit at a popular German dating site (which means the article is in German as well – you can babelfish it for a nearly readable translation). Of particular interest is the number out of roughly 100,000 users with 123456 as their password (1375). Almost 850 others tried to be more clever and used the variations 12345, 12345678, or 123456789 as their password. The good news is that roughly 40 percent of the passwords were unique. The bad news is only about 40 percent of the passwords were unique.

Having done password audits in the past, I’ve seen things like this before. One place I worked used a list of about 30,000 common words (typically dictionary words, names, cities, common numeric sequences, etc), common passwords (NCC-1701 from Star Trek, CPE1704TKS from War Games, Schrodinger or Einstein, etc), and variations on those (backwards, add 1234 to the end, add 1 at the front and 2 at the end, etc). Against less than 1000 user accounts, we got almost 100 passwords guessed in about 4 hours. This was 10 years ago. Today, it would take much less time to get those passwords, and probably more would be guessed, because more common words and more variations could be included.

Good security isn’t easy. Good security involving people is even harder. People are easily the weakest link in security systems, and therefore the mostly common vector of attack.

[tags]Computer Security, passwords, Password audits[/tags]