On the Record: online privacy & security Archives

May 17, 2005

Privacy Advocates Sue Homeland Security

Privacy Advocates Sue Homeland Security Office

EPIC takes the government to court for details of a secret national I.D. plan.
By Ann Harrison
SecurityFocus

Apr 2 2002 4:13PM

In a legal challenge to increased government secrecy post September 11, the non-profit Electronic Privacy Information Center (EPIC) filed a federal lawsuit Tuesday against the Office of Homeland Security and its director, Governor Tom Ridge, seeking release of documents detailing what it says is the government's secret development of a de facto national identification system.

The lawsuit follows EPIC's March 20th request under the Freedom of Information Act (FOIA) for expedited release of the office's records on technical and legislative proposals for such an identification system. The FOIA requires that requests for expedited processing be acted upon within ten days. The Office failed to act on the request, giving EPIC the right to file suit in the U.S. District Court for the District of Columbia.

The Office of Homeland Security had no comment on the lawsuit. http://www.securityfocus.com/news/362

Posted by ann at 11:40 PM | Comments (0)

National ID Cards

National ID Plans Face Hurdles

Distributing thousands of card readers, guarding against corrupt insiders, defending against fraudsters and hack attacks... Plans to create a national ID card are fraught with peril.

By Ann Harrison

SecurityFocus

Apr 17 2002 4:29PM

The attacks of September 11 prompted several proposals for national identification cards, but such systems have not been adequately evaluated to determine their overall goals and prevent potential abuses, according to panelists at the Computers Freedom and Privacy Conference, which opened today in San Francisco.

The most troubling such proposal for the privacy-conscious attendees at the conference, now in its 12th year, is an effort by the American Association of Motor Vehicle Administrators to link identification databases in a nationwide computer network.

Panelist Deirdre Mulligan, who serves on the National Academy of Science Committee on Authentication Technologies and their Privacy Implications, charged that the AAMVAnet project is hurrying the nation down the path of a de facto national ID card without discussion of the potential problems of such a system. http://www.securityfocus.com/news/371

Posted by ann at 11:38 PM | Comments (0)

Testing Biometrics

Researcher: Biometrics Unproven, Hard To Test

Just how accurate are the face identification systems being rolled out around the country? It turns out, testing them is harder than it looks.
By Ann Harrison,

SecurityFocus

Aug 7 2002 11:57PM

SAN FRANCISCO--James Bond technologies like face recognition, fingerprint sensors, hand geometry, and other biometric security systems may be impossible to accurately evaluate, unless researchers also measure the performance of the testers and the demographics of the subjects, a key researcher said Wednesday.

"Vulnerability tests have been around for a decade, the problem is developing test protocols to test for vulnerabilities," says Dr. Jim Wayman, director of the biometric test center at San Jose State University, speaking at the 11th annual USENIX Security Symposium. "Going from technical results to what happens in a real world system, you have to go through a mathematical modeling system.

Wayman is developing test protocols for evaluation of biometrics device performance, which are slated to post as an annex to the ISO 15408 Common Criteria. He notes that while testing protocols are still in their infancy, millions of dollars are already being poured into biometric systems. http://www.securityfocus.com/news/566

Posted by ann at 11:36 PM | Comments (0)

Encryption Breaker

'Creative Attacks' Beat Crypto -- Expert

Professional encryption breaker says Moore's Law increases security risks as fast as it boosts chip storage.

By Ann Harrison,

SecurityFocus Aug 9 2002 11:39AM

SAN FRANCISCO--In 1998 cryptographer Paul Kocher developed a method for deducing the secret key embedded in a cryptographic smart card by monitoring tiny fluctuations in power consumption. Three years earlier, at the tender age of 22, he made headlines with a technique to compromise implementations of the RSA algorithm -- not with a direct frontal assault, but by watching the amount of time a system took to perform certain functions.

Speaking at the Usenix security conference in San Francisco Thursday, Kocher, now president of Cryptography Research, Inc., said creative attacks like these are only becoming more successful as hardware and software solutions grow increasingly complex and difficult to debug.

"Nobody breaks the crypto, they all bypass the crypto," says Kocher. "They are putting bigger crypto keys in there and it doesn't give you bigger security."

Posted by ann at 11:34 PM | Comments (0)

Fingerprint Biometric Attack

Hackers Claim New Fingerprint Biometric Attack

By Ann Harrison, SecurityFocus Aug 13 2003 12:09PM

Two German hackers say they have developed a technique to defeat biometric fingerprint scanners used to authenticate electronic purchasing systems. Unlike an earlier fingerprint attack developed by the pair last year, this system creates latex fingertip patches designed to be used while under observation.

The hackers, known as Starbug and Lisa, presented their attack at the Chaos Computer Camp, an open-air event which took place last weekend in East Berlin. "We have developed methods to fake fingerprints on the run," said Lisa.

The past technique used graphite powder and adhesive tape to lift fingerprints off surfaces and fool scanners into accepting them as genuine. This new method involves taking a digital picture of the fingerprint image produced by the graphite powder and adhesive tape. This image is enhanced with graphical software, printed on to foil, and transfered to a photosensitive printed circuit board. The board is exposed and etched to create the three dimensional structure of the fingerprint. It is then transferred to liquid latex which is dried to create a thin material similar to the consistency of a latex glove. This small piece of latex is attached to a person's fingertip prior to using the scanner. http://www.securityfocus.com/news/6717

Posted by ann at 11:32 PM | Comments (0)