Announcement

Collapse
No announcement yet.

government security FAIL

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • government security FAIL

    UK national ID card cloned in 12 minutes | 6 Aug 2009 | ComputerWeekly.com

    lolz.


    I especially like this bit:

    He then rewrote data on the card, reversing the bearer's status from "not entitled to benefits" to "entitled to benefits".

    He then added fresh content that would be visible to any police officer or security official who scanned the card, saying, "I am a terrorist - shoot on sight."

    Isn't the australian government also trying to bring in some sort of national ID card, or is my memory a little broken...?
    “Crashing is shit for you, shit for the bike, shit for the mechanics and shit for the set-up,” Checa told me a while back. “It’s a signal that you are heading in the wrong direction. You want to win but crashing is the opposite. It’s like being in France when you want to go to England and when you crash you go to Spain. That way you’ll never get to England!” -- Carlos Checa

  • #2
    In a similar vein

    Feds at DefCon Alarmed After RFIDs Scanned | Threat Level | Wired.com

    Fools

    Comment


    • #3
      RFID is the same as a magnetic strip - its all plain text
      "Most people are other people. Their thoughts are someone else's opinions, their lives a mimicry, their passions a quotation." - Oscar Wilde

      Comment


      • #4
        Originally posted by merctom View Post
        RFID is the same as a magnetic strip - its all plain text
        That depends one what format of RFID we're talking. Only the most basic of RFID systems use plain text/numbers. Most commercially available systems use a minimum of a 26bit key (read only) with more advanced products using variable bit length two way verification.

        Much of that article is alarmist and based on ill informed speculation. Things arent quite as simple to crack as what they're making out. Secondly, any govt agency using an off the shelf 26bit Wiegand interface really needs a review of their security.
        In complete darkness we are all the same. It is only our knowledge and wisdom that seperate us. Dont let your eyes deceive you.
        Its the little things that make the difference
        Originally posted by IPIT on relationships
        If either/both of you can take a dump with the other person being next to you within a week of meeting them then you're in with a VERY good chance.

        Comment


        • #5
          My drivers license has my name, photo, address, license number and date of birth, and anyone with a pair of eyes can get it all just by looking at the card. How is putting all this information on a RFID card any less secure? But I can see how it would be incredibly useful.

          These cards don't need security because there shouldn't be anything on there that needs to be protected anyway.
          sigpic

          Comment


          • #6
            Originally posted by Jedi View Post
            How is putting all this information on a RFID card any less secure? But I can see how it would be incredibly useful.
            It can be read remotely....

            Originally posted by Jedi View Post
            These cards don't need security because there shouldn't be anything on there that needs to be protected anyway.
            ... which means if you put sensitive information (say a full copy of your passport) you can pose as someone else

            So yeah

            Comment


            • #7
              People are getting a little confused here. The UK national ID card is not an RFID card, it's a smart card just like new credit cards and mobile SIM cards. These can not be read remotely. They must be physically inserted into a reader.

              Typical RFID cards do not hold personal information (saving a few exceptions). They simply hold a facility/site code and a user code. They're typically used for access control however more recent times have seen advanced forms of the technology used for applications such as the new Transperth Smart Rider System (which uses a proprietary version of the MIFARE format orginally developed by Philips). Any information relevant to the holder of the card is held on a database at the site the card is used at.

              Even though it's possible to clone basic RFID cards, a cloned card will be of little use to anyone if the access control system at the site the card is used for is configured correctly. Features such as anti-passback ensure that once the card has been presented to enter an area of the site, the same card can not enter that area again until such time as it's badged out.

              As for accessing personal information about the holder of the card, you'd require access to the on site EACSMS and be operating on the assumption that the site holds full information on it's users (usually, it's just a name). Such systems are usually attached to their own LAN which has no connection at all with the outside world or the everyday working LAN of the site, unless of course that site is has no need for alfoil hats.
              In complete darkness we are all the same. It is only our knowledge and wisdom that seperate us. Dont let your eyes deceive you.
              Its the little things that make the difference
              Originally posted by IPIT on relationships
              If either/both of you can take a dump with the other person being next to you within a week of meeting them then you're in with a VERY good chance.

              Comment


              • #8
                Originally posted by Aphex View Post
                People are getting a little confused here. The UK national ID card is not an RFID card, it's a smart card just like new credit cards and mobile SIM cards. These can not be read remotely. They must be physically inserted into a reader.
                Wrong - the new cards used in the UK use RFID. Same as passports and some of the new credit cards in the US.
                "Most people are other people. Their thoughts are someone else's opinions, their lives a mimicry, their passions a quotation." - Oscar Wilde

                Comment


                • #9
                  merctom...just saying wrong doesnt make you right...back up info please....
                  A site all parents should check regulary
                  http://www.mako.org.au/temp_a.html

                  (+)

                  Comment


                  • #10
                    A little further reading suggests I may indeed be wrong (one site only) however I'm yet to find anything that conclusively advises on the technology actually used in the final release of the card. Most sources suggest its a contact smart card. Even so i'd still not be too concerned about it being read remotely as the effective range of passive cards is very limited. Most contactless smart cards are developed under ISO 14443 which allows for communication upto 10cm. There is another standard which allows for comms upto 50cm.
                    In complete darkness we are all the same. It is only our knowledge and wisdom that seperate us. Dont let your eyes deceive you.
                    Its the little things that make the difference
                    Originally posted by IPIT on relationships
                    If either/both of you can take a dump with the other person being next to you within a week of meeting them then you're in with a VERY good chance.

                    Comment


                    • #11
                      my comment still stands....may not be a computer geek but sometimes these governments might leave a back door in their systems to trace the people that come for a look through their back door... but hey that means they actually think when they set up systems...... and these systems are set up by really smart guys and the nasty people that tell them what they want them to do on the side are always there......but hey i have no knowledge of that sort of stuff....just have several tinfoil hats......alledgedly
                      A site all parents should check regulary
                      http://www.mako.org.au/temp_a.html

                      (+)

                      Comment

                      Working...
                      X