Biometric Passports Make it Harder for Undercover CIA Officers

April 26, 2012 Leave a comment

Last year, I wrote about how social media sites are making it harder than ever for undercover police officers. This story talks about how biometric passports are making it harder than ever for undercover CIA agents.

Busy spy crossroads such as Dubai, Jordan, India and many E.U. points of entry are employing iris scanners to link eyeballs irrevocably to a particular name. Likewise, the increasing use of biometric passports, which are embedded with microchips containing a person’s face, sex, fingerprints, date and place of birth, and other personal data, are increasingly replacing the old paper ones. For a clandestine field operative, flying under a false name could be a one-way ticket to a headquarters desk, since they’re irrevocably chained to whatever name and passport they used.

“If you go to one of those countries under an alias, you can’t go again under another name,” explains a career spook, who spoke on condition of anonymity because he remains an agency consultant. “So it’s a one-time thing — one and done. The biometric data on your passport, and maybe your iris, too, has been linked forever to whatever name was on your passport the first time. You can’t show up again under a different name with the same data.”

(From Bruce Schneiner’s Blog)

Now, I know why I should wait for an hour in a line in Dubai Airport waiting my turn for the eye scan…

Filed under Security Tagged with , , , ,

Introduction to Luhn’s Algorithm

November 5, 2011 1 Comment

In the past few weeks, we have working on automating the Loyalty Program of a major retailer. We used Luhn’s Algorithm to validate the card numbers before registration.

The Luhn algorithm or Luhn formula, also known as the “modulus 10″ or “mod 10″ algorithm, is a simple checksum formula used to validate a identification numbers. Currently it is used for credit card numbers,IMEI numbers, National Provider Identifier numbers in US, Canadian Social Insurance Numbers and others. It was created by IBM scientist Hans Peter Luhn and described in U.S. Patent No. 2,950,048, filed on January 6, 1954, and granted on August 23, 1960.

The Luhn algorithm will detect any single-digit error, as well as almost all transpositions of adjacent digits. It will not, however, detect transposition of the two-digit sequence 09 to 90 (or vice versa). It will detect 7 of the 10 possible twin errors (it will not detect 22 ↔ 5533 ↔ 66 or 44 ↔ 77).

Other, more complex check-digit algorithms (such as the Verhoeff algorithm) can detect more transcription errors. The Luhn mod N algorithm is an extension that supports non-numerical strings.

Because the algorithm operates on the digits in a right-to-left manner and zero digits affect the result only if they cause shift in position, zero-padding the beginning of a string of numbers does not affect the calculation. Therefore, systems that pad to a specific number of digits by converting 1234 to 0001234 (for instance) can perform Luhn validation before or after the padding and achieve the same result.

The algorithm appeared in a US Patent for a hand-held, mechanical device for computing the checksum. It was therefore required to be rather simple. The device took the mod 10 sum by mechanical means. The substitution digits, that is, the results of the double and reduce procedure, were not produced mechanically. Rather, the digits were marked in their permuted order on the body of the machine.

Example

The formula verifies a number against its included check digit, which is usually appended to a partial account number to generate the full account number. This account number must pass the following test:

  1. Counting from the check digit, which is the rightmost, and moving left, double the value of every second digit.
  2. Sum the digits of the products (e.g., 10 = 1 + 0 = 1, 14 = 1 + 4 = 5) together with the undoubled digits from the original number.
  3. If the total modulo 10 is equal to 0 (if the total ends in zero) then the number is valid according to the Luhn formula; else it is not valid.

Assume an example of an account number “4992739871″ that will have a check digit added, making it of the form 4992739871x:

To make the sum divisible by 10, we set the check digit (x) to 6, making the full account number 49927398716.

The account number 49927398716 can be validated as follows:

  1. Double every second digit, from the rightmost: (1×2) = 2, (8×2) = 16, (3×2) = 6, (2×2) = 4, (9×2) = 18
  2. Sum all the individual digits (digits in parentheses are the products from Step 1): 6 + (2) + 7 + (1+6) + 9 + (6) + 7 + (4) + 9 + (1+8) + 4 = 70
  3. Take the sum modulo 10: 70 mod 10 = 0; the account number is probably valid.
Source: Wikipedia

Filed under Security Tagged with , , ,

New Type of Secret Questions!

September 8, 2011 Leave a comment

While setting up an account at the National Archives, in order to request a document, I found this rather original challenge question.

Filed under Passwords, Security, Social Engineering

Cyber Weapons: The New Arms Race

August 10, 2011 Leave a comment

The Pentagon, the IMF, Google, and others have been hacked. It’s war out there, and a cyber-weapons industry is exploding to arm the combatants.

By  and 

In the early morning hours of May 24, an armed burglar wearing a ski mask broke into the offices of Nicira Networks, a Silicon Valley startup housed in one of the countless nondescript buildings along Highway 101. He walked past desks littered with laptops and headed straight toward the cubicle of one of the company’s top engineers. The assailant appeared to know exactly what he wanted, which was a bulky computer that stored Nicira’s source code. He grabbed the one machine and fled. The whole operation lasted five minutes, according to video captured on an employee’s webcam. Palo Alto Police Sergeant Dave Flohr describes the burglary as a run-of-the-mill Silicon Valley computer grab. “There are lots of knuckleheads out there that take what they can and leave,” he says. But two people close to the company say that they, as well as national intelligence investigators now looking into the case, suspect something more sinister: a professional heist performed by someone with ties to China or Russia. The burglar didn’t want a computer he could sell on Craigslist. He wanted Nicira’s ideas. Read full article here

Filed under Hacking, Security Tagged with , , ,

DoD Strategy for Operating in Cyberspace

July 30, 2011 Leave a comment

The Department of Defense (DoD) has published a strategy to tackle the issues of operating in cyberspace. This strategy was put due to the increasing number of successful attempts on US cyber-targets.

The Pentagon organizes the document in five strategic initiatives; I’ve simplified and commented on them below.

#1 Treat cyberspace as an operational domain to organize, train, and equip so that DoD can take full advantage of cyberspace’s potential

An important concept was set. The military is now calling cyberspace a domain. Meaning the domains of land, sea, air and space were augmented with the cyber domain.

The document provided what level of attention the cyberspace domain is to receive in the military. By mentioning the following:

  • Resources are provided on a scale as if cyberspace were another terrestrial continent; for example, the U.S. Navy’s “10th Fleet” was reactivated in 2010, charged now with looking after cyberspace (rather than anti-submarine operations in the Atlantic, as was its mission from 1943-1945). Of note is that a numbered U.S. fleet historically represents a vast geographic region. Establishing a numbered fleet command automatically carries the weight of a three-star admiral and quite a large staff.
  • Cyber red teams will be included in all war games and exercises, anticipating degraded cyberspace operations and disruption in the midst of a mission. Disrupting war games is expensive and even risky; but this seems like a great way to improve our troop readiness across the board.

# 2 Employ new defense operating concepts to protect DoD networks and systems

This includes:

  • following cyber hygiene best practices
  • focusing on insider threat mitigation
  • deploying a better Intrusion Prevention System (IPS)
  • a promise to constantly develop new defense operating concepts

I think that these are very basic security housekeeping concepts for any IT organization. The Pentagon here is not telling anything new.

#3 Partner with other U.S. government departments and agencies and the private sector to enable a whole-of-government cybersecurity strategy

I guess that one of the weak points that the Pentagon admits is the dependency on the entire private sector IT hardware and software industry, and the same telecommunications carriers and Internet Service Providers (ISPs) that everyone else uses. So the Pentagon has to promote private sector participation to improve cybersecurity. And this promotion may be of great advantage but may also lead to security leaks.

The Department of Homeland Security (DHS) which emerged after the attacks of September 11 is leading the inter-agency efforts and reporting to DoD.

#4 Build robust relationships with U.S. allies and international partners to strengthen collective cybersecurity

This strategy emerged from the concept that  Cyberspace is a network of networks that includes thousands of ISPs across the globe; no single state or organization can maintain effective cyber defenses on its own. The Pentagon seems to be doing considerable advancements in this domain with its global collection of data (cyber events, threat signatures of malicious code, and information about emerging actors and threats…)

#5 Leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation

The Pentagon has released the National Cyber Range which is a lab where large scale experiments and network simulations are conducted, and knowing that we have such a facility to attract and retain cyber talent is good news. DoD needs to attract talents and skills in this domain (academic or business).

To replicate the dynamism of the private sector and harness the power of emerging computing concepts, DoD’s acquisition processes for information technology will adopt new principles. Speed is a critical priority. DoD’s acquisition processes and regulations must match the technology development life cycle. With information technology, this means cycles of 12 to 36 months, not seven or eight years.

To dowload the full strategy text published July 2011. Click this link DoD Strategy (PDF).

Filed under Security Tagged with , , , , , ,

Scroogle

July 30, 2011 Leave a comment

Scroogle

Scroogle

Many have discussed the topic that whether or not Google is retaining too much Personally Identifiable Information (PII) for too long.

The website scroogle.com says: “Every day Scroogle crumbles 350,000 cookies and blocks a million ads.”

 

 

So Scroogle does not:

  • Pass cookies on.
  • Keep search-term records.
  • Retain access logs for more than 48 hours.

The website calls Scroogle a scraper. The process is simple. You enter your search request in the web browser, like normal. It is sent to Scroogle via a SSL connection. Scroogle replaces all your identifying information with that of Scroogle. The search request is forwarded to Google. Google records the IP address and search information issued by Scroogle. Google then replies with a cookie and the search results. Scroogle sanitizes the data, sending only the search results back to you.

Filed under Security, Web

British Airways terrorist relied on Jesus-era encryption

April 25, 2011 2 Comments

BA

British Airways

An IT worker from British Airways jailed for 30 years for terrorism offences used encryption techniques that pre-date the birth of Jesus.

Rajib Karim, 31, from Newcastle, was found guilty of attempting to use his job at BA to plot a terrorist attack at the behest of Yemen-based radical cleric Anwar al-Awlaki, a leader of al-Qaeda in the Arabian Peninsular.

Sentencing him at Woolwich Crown Court last week, Justice Calvert-Smith described Karim as a “committed jihadist” who responded “enthusiastically” towards plans to smuggle a bomb onto a plane or damage BA’s IT systems.

Justice Calvert-Smith praised police for being able to decipher incriminating documents under “five or more layers of protection”, the Daily Telegraph reports.

However, claims by the prosecution that the coding and encryption systems were the most sophisticated ever seen in use were overstated – by more than 2,000 years.

Woolwich Crown Court was told that Bangladeshi Islamic activists who were in touch with Karim had rejected the use of common modern systems such as PGP or TrueCrypt in favour of a system which used Excel transposition tables, which they had invented themselves.

But the underlying code system they used predated Excel by two millennia. The single-letter substitution cipher they used was invented by the ancient Greeks and had been used and described by Julius Caesar in 55BC.

Karim, an IT specialist, had used PGP, but for storage only.

Despite urging by the Yemen-based al Qaida leader Anwar Al Anlaki, Karim also rejected the use of a sophisticated code program called “Mujhaddin Secrets”, which implements all the AES candidate cyphers, “because ‘kaffirs’, or non-believers, know about it so it must be less secure”.

The majority of the communications that formed the basis of the case against Karim, which claimed to warn of a possible terrorist plot in the making, were exchanged using the Excel spreadsheet technique, according to the prosecution.

Filed under Encryption, Security Tagged with ,

FBI asks public for help breaking encrypted notes tied to a murder case

April 25, 2011 2 Comments

The Cyphered Note

The Cyphered Note

Source: The Lookout

In what seems like a throwback to the still-unsolved Zodiac killings that terrorized the San Francisco Bay Area in the 1970s, the FBI has sent out a public appeal for amateur sleuths to help solve a key cryptographic clue in a 1999 murder case.

On June 30, 1999, police officers in St. Louis, Missouri found the body of 41-year-old Ricky McCormick, who’d been murdered and dumped in a field. The only clues investigators recovered from the scene were two encrypted notes stuffed into the victim’s pockets.

“Despite extensive work by our Cryptanalysis and Racketeering Records Unit (CRRU), as well as help from the American Cryptogram Association, the meanings of those two coded notes remain a mystery to this day, and Ricky McCormick’s murderer has yet to face justice,” the FBI said in a press release today. CRRU chief Dan Olson added, “We are really good at what we do, but we could use some help with this one … Maybe someone with a fresh set of eyes might come up with a brilliant new idea.”

The FBI has reached out to the public with code breaking brain teasers in the past–but they were games, not actual cases. This is the chance for want-to-be FBI sleuths to break their brains on code that is part of a current investigation. The notes are after the jump.

Filed under Encryption, Security Tagged with , ,

Israel is building a Counter-Cyberterrorist Unit

April 25, 2011 1 Comment

I thought Israel already has one especially that Shamir (the S in RSA) is one of the many researchers in the Weizmann Institute of Science!

According to Enterprise Security, Israel is mulling the creation of a counter-cyberterrorism unit designed to safeguard both government agencies and core private sector firms against hacking attacks.

The proposed unit would supplement the efforts of Mossad and other agencies in fighting cyberespionage and denial of service attacks. Israel is, of course, a prime target for hackers from the Muslim world.

The country’s hi-tech industries also make it an interesting target for cyberespionage from government-sponsored hackers from China and elsewhere. Spear-phishing attacks featuring targeted emails, custom malware and subsequent hacking action have been in the news over recent weeks, in the wake of cyberattacks against EU agencies and oil-prospecting multinationals, to quote just two recent threats.

Filed under Hacking, Security, Spying Tagged with , , , , , ,

Bioencryption…Said to be unhackable!

February 11, 2011 1 Comment

E. coli bacterium

E. coli bacterium

Students at Hong Kong’s Chinese University may be onto a type of memory media that could be a truly secure way to store data — text, images, music, and video. It takes up almost no space, can be encrypted, and is so gross that it’s unlikely many people would attempt to steal it. That is, if the thief would even consider searching  a refrigerator for massive data storage inside E. Coli– the bacteria responsible for 90% of urinary tract infections, which can cause food poisoning and is the reason for many food recalls. The bacteria can successfully and securely be used for biostorage, the storage of data in living things.

According to an AFP report, the U.S. national archives take up more than 500 miles of shelves, but one gram of bacteria used for storing data could hold the same amount of information as 450 hard drives with 2,000 gigabytes (2 TB) each of storage capacity.

“This means you will be able to keep large datasets for the long term in a box of bacteria in the refrigerator,” said student instructor Aldrin Yim about the biostorage project. Also according to Discovery News, another student instructor, Allen Yu said, “Bacteria can’t be hacked. All kinds of computers are vulnerable to electrical failures or data theft. But bacteria are immune from cyber attacks. You can safeguard the information.”

In a post-WikiLeaks world, could security professionals latch onto securely storing data in bacteria cells and mapping the DNA to easily locate specific information? Although a Petri dish PC may not be anywhere close to market-ready, there may come a day when we want bacteria in our computers.

Bruce Schneiner commented on the “unhackable” property of biostorage:

Why can’t bacteria be hacked? If the storage system is attached to a network, it’s just as vulnerable as anything else attached to a network. And if it’s disconnected from any network, then it’s just as secure as anything else disconnected from a network. The problem the U.S. diplomats had was authorized access to the WikiLeaks cables by someone who decided to leak them. No cryptography helps against that.

Filed under Hacking, Security Tagged with , , , , ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 132 other followers